What is the Herodotus Android Trojan?
A new Android banking Trojan, circulating in cybercrime forums under the moniker Herodotus, is notable for its attempt to mimic human interaction when a user enters credentials. Researchers from fraud-detection firm ThreatFabric warn that the malware injects randomized pauses of up to three seconds whenever the attacker bypasses the on-screen keyboard to input account details. This deliberate throttling is designed to evade behavioral detection systems that flag machine-like, ultra-fast typing patterns often used by automated tools.
While Herodotus operates like many other banking Trojans—exfiltrating credentials via fake overlay screens and intercepting one-time passwords (OTPs)—its most distinctive feature is the timing camouflage it introduces. By varying input speed, it seeks to blur the line between human and automated activity, potentially allowing fraud to slip past some defenses that rely on rapid, consistent keystrokes.
How it works
Herodotus leverages Android accessibility services, a commonly abused feature intended to aid people with disabilities. Attackers request permissions to these services and then use them to paste text, as opposed to conducting remote, hands-on keyboard sessions that can risk user suspicion due to connectivity issues or visual discrepancies on screen. This approach creates a seemingly natural interaction profile; however, the built-in randomized delay in credential entry fuels a more human-like impression while still enabling automated credential theft.
ThreatFabric notes that the Trojan’s delay is intentionally bounded between 0.3 seconds and three seconds. The goal is to avoid triggering behavioral analytics that look for unnaturally fast input or perfectly consistent timing. In practice, newer behavioral biometrics systems may still detect the program’s anomalous behavior, but threat actors hope to exploit gaps where timing-based indicators are less effective.
Deceptive overlays and OTP theft
Beyond timing camouflage, Herodotus displays fake banking login overlays to capture credentials and includes an SMS stealer component to intercept one-time passcodes. This combination ensures a multi-layer approach to credential theft: first, deceive the user with convincing login pages; second, capture the password; third, obtain the OTP to complete a fraudulent transaction.
Distribution mirrors other Android banking Trojans: threat actors typically deliver the payload through side-loading of apps, often after smishing messages containing a link to a dropper. Because the Android accessibility service can grant extensive permissions, users who approve these requests may unwittingly empower the malware to monitor and manipulate their device’s input and content.
Connections to other malware and global reach
During reverse engineering, ThreatFabric researchers observed overlap with a previous banking Trojan named Brokewell, first identified in April 2024. Herodotus’ developers reportedly invoked a Brokewell module in a limited fashion, suggesting access to an existing component rather than a fresh, fully rewritten codebase. The researchers also catalogued overlay pages targeting financial institutions in the United States, United Kingdom, Poland, and Turkey, as well as crypto wallets and exchanges. While the developers describe the project as “still in development” on forums, ThreatFabric warns that Herodotus is likely to evolve and see broader deployment.
What this means for defenders
Herodotus highlights a nuanced threat to security teams relying on behavioral analytics. While some detection systems may flag the covert timing anomalies, others that emphasize user interface interactions and timing alone could be deceived by the Trojan’s randomized delays. defenders should consider a multi-layer approach:
- Strengthen machine-learning models beyond simple input timing to incorporate device state signals, process-level behavior, and cross-app activity patterns.
- Enforce stricter controls around accessibility service requests, including user education to recognize legitimate permission prompts and improved app vetting on distribution channels.
- Monitor for fake banking overlays and OTP interception tactics, with rapid response playbooks for credential leakage indicators.
- Promote user awareness campaigns about smishing and the risks of sideloading apps from untrusted sources.
As ThreatFabric notes, Herodotus will likely continue to evolve as its operators refine evasion techniques. The global campaigns observed—spanning Italy, Brazil, the United States, the United Kingdom, Poland, and Turkey—underscore the ongoing need for vigilant detection and user education to curb the impact of this adaptable Android banking Trojan.
