New Android Banking Trojan Introduces Human-Like Delays
A recent Android banking trojan dubbed Herodotus is making waves in cybercrime forums due to its ability to imitate human input timing. By injecting randomized pauses of 0.3 to three seconds when users enter credentials, the malware aims to fool behavioral detection systems that flag machine-like, automated activity.
Security researchers from ThreatFabric warn that this tactic could undermine basic defenses that look for rapid, script-like entry of data. In practice, attackers leverage Android accessibility services to paste credentials or control input without a live, manual keystroke, a technique that often trips up automated monitoring. The added delays help Herodotus blend in with a real user, reducing the chance that suspicious timing patterns are detected.
How Herodotus Evades Detection
Herodotus relies on a built-in randomized delay mechanism to interrupt the typical rapid-fire input associated with credential stuffing or automated entry. The goal is to prevent behavioral biometrics from flagging the operation as non-human. While newer biometric systems that model individual user patterns may still recognize the Trojan’s anomalous behavior, older or simplified timing-based detectors could give the attackers a pass.
In addition to timing delays, Herodotus uses familiar methods seen in banking trojans: it exploits Android accessibility services to read the screen and input data, as well as overlays that mimic legitimate banking sites to capture usernames and passwords. A dropper distribution vector is common, often delivered via smishing messages that guide victims to install the malicious app by side-loading it onto the device.
Overlap with Other Banking Trojans and Global Reach
ThreatFabric notes overlap with another Android banking Trojan, Brokewell, first identified in 2024. Although Herodotus appears to re-use a Brokewell module rather than original code, the two share architectural features and operational goals. During reverse engineering, researchers observed overlay pages targeting financial institutions across the United States, United Kingdom, Poland, and Turkey, as well as crypto wallets and exchanges. This broad targeting hints at a strategy to monetize by capturing credentials and one-time codes on multiple fronts.
Why the Timing Tactic Matters
The core risk with Herodotus is not just credential theft but the potential erosion of trust in automated security signals that rely on rapid input patterns. If attackers can throttle speed convincingly, automated fraud detection may miss malicious activity, letting fraudulent transactions slip through while the user remains largely unaware.
What Defenders Should Do
Defenders should bolster multi-layer defenses that do not rely solely on input timing. Recommended steps include:
- Enhance behavioral biometrics with context-aware analytics that consider device state, network indicators, and user session history in addition to input speed.
- Monitor for unusual app permissions usage, especially around accessibility services, and implement stricter approval workflows.
- Implement robust anti-tampering on overlays and enforce app integrity checks to detect rogue overlays before user interaction.
- Educate users about smishing and the risks of side-loading apps; promote official store installation and device security hygiene.
- Deploy phishing-resistant MFA and ensure one-time codes are not delivered through easily intercepted channels.
Threat intelligence groups will likely see Herodotus evolve, potentially adding more evasion tricks or expanding its geographic footprint. Keeping pace with such threats requires ongoing collaboration between financial institutions, security researchers, and platform providers to close gaps in both detection and user education.
