New Android Banking Trojan Mimics Human Input to Bypass Detection
A fresh Android banking Trojan known as Herodotus is making rounds in cybercrime circles, boasting a disturbing capability: it injects randomized pauses to simulate human typing as attackers bypass on-device credential entry. Security researchers warn that this feature aims to defeat basic behavioral detection systems that look for machine-like input speeds during login attempts.
Threat researchers from fraud-detection firm ThreatFabric describe Herodotus as a modular Android malware that leverages a compromised accessibility service to automate credential entry. When a user would typically type in bank details, the Trojan introduces delays ranging from 0.3 seconds up to three seconds. Those pauses are intended to mimic the natural variability of human input, reducing the likelihood that automated, rapid key presses trigger anomaly alerts.
How Herodotus Executes Its Credential-Theft Tactics
Herodotus relies on Android accessibility services, a legitimate framework designed to help users with disabilities. Cybercriminals abuse these services to read screen content, paste text, or simulate touches. In practice, the trojan pastes credentials into fake login overlays or forms, and then intercepts one-time codes (OTPs) sent by banks via SMS. By introducing randomized delays, the malware tries to pass as a human user rather than a scripted bot.
Importantly, the Trojan does not rely solely on traditional phishing or smishing. It distributes via side-loaded apps and malicious links in messages that point to a dropper. Once installed, Herodotus activates its overlay pages—fake banking interfaces designed to harvest usernames, passwords, and other sensitive data. ThreatFabric notes that the trojan also incorporates an SMS stealer to capture OTPs, a critical step in bypassing two-factor protections that rely on SMS-based codes.
Relation to Other Threats and Global Reach
During reverse engineering, researchers observed overlaps with the Brokewell banking Trojan, a malware family ThreatFabric identified earlier in 2024. Herodotus’ developers reportedly reused or integrated a Brokewell module, suggesting access to existing code rather than original design. Code analysis also reveals overlays for financial institutions across several countries, including the United States, United Kingdom, Poland, Turkey, Italy, and Brazil, as well as for crypto wallets and exchanges. This signals a growing ambition to drive global campaigns with a single evolving loader.
Why Behavioral Detection May Still Miss Herodotus
Modern fraud systems increasingly model user behavior through biometrics and advanced analytics. Some systems track input timing patterns, touch dynamics, and overall interaction flows. Herodotus’ randomized delays target the edge cases where behavioral models would otherwise flag quick, automated input as suspicious. While newer behavioral biometrics could still detect such activity, some classifiers may be fooled if the delays resemble genuine human variability closely enough.
What Organizations Can Do Now
Defensive measures focus on tightening access controls and monitoring for signs of abuse of accessibility services. Security teams should limit the permissions granted to apps, require explicit user consent for high-risk capabilities, and implement multi-channel verification that does not rely solely on SMS codes. Endpoint protection, app vetting, and user education about smishing remain essential layers. As ThreatFabric cautions, Herodotus is still evolving, and its payloads may expand beyond banking logos to cover more financial platforms and crypto services.
Conclusion: A Trojan That Sweeten the Deal with Realistic Delays
Herodotus represents a calculated evolution in Android banking malware—one that acknowledges how detection technologies rely on speed and human-likeness cues. By weaving in randomized pauses, the Trojan challenges defenders to reassess assumptions about what constitutes “normal” user interaction. The global spread already observed, including Europe and the Americas, underscores the need for ongoing vigilance, rapid threat intelligence sharing, and robust defense-in-depth strategies to curb the next wave of automated credential theft.
