Executive Summary

Cybersecurity researchers at ThreatFabric have discovered a new Android banking trojan named Herodotus. Distributed under a Malware-as-a-Service (MaaS) model, this device-takeover malware introduces a novel evasion technique designed to bypass modern fraud detection systems. Herodotus simulates human-like typing by adding randomized delays to its inputs during remote sessions, allowing it to defeat behavioral biometric security controls. The malware, spread via SMS phishing (SMiShing), grants attackers full remote control to steal credentials, intercept one-time passcodes (OTPs), and execute fraudulent transactions from banking and cryptocurrency apps. Active campaigns are currently targeting users in Italy and Brazil.

Threat Overview

Herodotus is the latest entry in the growing market of sophisticated Android banking malware. It is sold by a threat actor named 'K1R0' and is designed for full device takeover.

Infection Chain:

1. Distribution: The malware is primarily spread through SMiShing campaigns. Victims receive an SMS message with a link, tricking them into downloading and installing a malicious APK (Android Package) from an untrusted source.
2. Installation & Permissions: The initial dropper application poses as a legitimate security app (e.g., "Banca Sicura" or "Safe Bank"). It then relentlessly prompts the user to enable Android's Accessibility Services. It uses an overlay to hide the permission-granting dialog, tricking the user into granting it extensive control over the device.
3. Device Takeover: Once Accessibility Services are enabled, Herodotus has the power to read the screen, perform clicks and swipes, and type into fields. This allows the remote operator to navigate the device, open apps, steal credentials, and authorize transactions.

Technical Analysis

The most innovative feature of Herodotus is its defense evasion capability against behavioral biometrics.

• Human-like Interaction: When the remote operator needs to input text (e.g., a username, password, or transfer amount), the malware doesn't just paste the string instantly. Instead, it introduces small, randomized delays between each keystroke. This mimics the natural cadence of a human typing on a touchscreen, which is a key metric used by behavioral biometric systems to differentiate between a legitimate user and an automated script or bot.
• Full Remote Control: By abusing Accessibility Services, the malware can:
  • Log keystrokes to capture credentials.
  • Read the screen to steal information displayed by other apps, including OTPs from SMS messages or authenticator apps.
  • Perform any action a user can, including navigating menus, clicking buttons ('Confirm Transfer'), and entering data.

Active campaigns have been observed disguising the malware as a security app for an Italian bank and a security module for a Brazilian payment provider.

Impact Assessment

Herodotus poses a direct financial threat to Android users worldwide. By defeating a key layer of modern anti-fraud defense, it increases the likelihood of successful fraudulent transactions. The MaaS model ensures that even low-skilled criminals can rent the malware and launch their own campaigns, broadening its reach.

• Sectors Targeted: Banking, Financial Services, and Cryptocurrency.
• Affected Geographies: Currently active in Italy and Brazil, but can be easily adapted for other regions.

Detection & Response

• On-Device Monitoring: Mobile Threat Defense (MTD) solutions can detect the malicious behaviors of Herodotus, such as its abuse of Accessibility Services, use of overlays, and attempts to read other apps' data.
• Behavioral Analysis (Server-Side): While Herodotus attempts to mimic human typing, advanced server-side fraud detection engines may still be able to identify other anomalies in the session, such as impossible travel times or unusual device characteristics.
• App Vetting: Google Play Protect and other security measures can block the installation of known malicious APKs.

Mitigation

• Avoid Sideloading (D3-EDL): The most effective mitigation is to never install applications from outside of the official Google Play Store. Users should disable the "Install from unknown sources" option in their Android settings.
• Scrutinize Permissions: Be extremely cautious of any application that requests permission to use Accessibility Services. This is a very powerful permission that is rarely needed by legitimate apps like banking or security tools.
• User Education (D3-UT): Train users to recognize and ignore SMiShing messages that create a false sense of urgency and prompt them to click a link or download an app.
• Use Official Apps: Only download banking and financial apps from the official links provided on the institution's website or from their official page in the Google Play Store.