Herodotus Trojan for Android Pretends to Be Human to Avoid Detection

A new Android banking Trojan called Herodotus is taking mobile fraud to the next level by employing human-like behavior to dodge emulators and automated systems designed to detect malfeasance. The malware, discovered by researchers at ThreatFabric, is able to take over devices and simulate human behavior, such as entering banking details or sending a trading confirmation, in real time, making automated fraud detection systems more difficult for banks and anti-abuse systems to detect.

What Makes Herodotus Different in Evading Detection

Indeed, most mobile Trojans give themselves away by going too fast or looking too mechanical. Herodotus slows down on purpose. It adds uneven pauses between keystrokes — from around 0.3 to 3 seconds — throws in lifelike swipes and taps, and eschews the telltale rhythm of a script, according to ThreatFabric. That rhythm sounds like it wants to simulate a distracted human user, not a bot without a head.

That directly takes aim at a rising genre of defenses known as behavioral biometrics, which scrutinizes patterns such as typing cadence, swipe height, and touch pressure. When malware follows these human patterns, input-timing-based tools would be more apt to misclassify fraud as normal activity.

How the takeover works to compromise Android devices

Herodotus uses the typical banking-Trojan framework, then adds a human touch, originally being delivered via sideloaded droppers or smishing links. Once it lands on a device, the malware promptly asks for Accessibility Services — a legitimate Android feature that, if misused by attackers, can grant it rights to full-screen reading, automatic tap input, and text entry.

From there, it layers on overlay attacks that put realistic-looking phony login screens over the real ones in banking and wallet apps to capture credentials. It can screen out SMS messages in order to grab one-time codes, and sends a list of installed apps back to its command server. When a target opens a financial application, the operators can fire the correct overlay or start a remote-control session that feels natural, not mechanical.

Earlier Android Trojans frequently glued text right away or rapidly clicked through flows on machine time, making them easier to flag. Herodotus evades that trap by introducing randomness — in an attempt to outflank simple bot-detection heuristics.

Where it is spreading and early campaigns observed

ThreatFabric-associated investigations have witnessed campaigns in Italy and Brazil. In Italy, the malware was “Banca Sicura,” and in Brazil it was “Módulo Segurança Stone.” Already, the operators are selling the tool as malware-as-a-service, so expect copycat campaigns and fast function updates.

Why traditional controls might miss it during attacks

Banks and fintechs are relying increasingly on signals like the speed at which you type, how fast you interact with your phone, and velocity in a session. Herodotus is designed to poison those signals. That gives greater weight to device-environment telemetry: Is there an Accessibility Service that is submitting click events? Any overlay on a financial app? Do network signals suggest that someone is pulling the strings from afar?

Attacks against workloads will also require stronger attestation and runtime checks by security teams. For example, Google’s Play Integrity API, SafetyNet-successor frameworks, and Mobile Threat Defense SDKs aid in verification to make sure that an app is executing on a real, non-compromised device. In addition to device-side restrictions, server-side tackling of combinations of behavioral data with context — OS flags, permission state, presence of overlays, and suspicious accessibility activity — must aim to minimize blind spots.

The larger trend is clear: as automated fraud becomes more sophisticated, the distinction between “bot” and “human-operated malware” gets hazier. Complex Android bankers like Anatsa, Xenomorph, and SharkBot, with their polished overlays and abuse of accessibility, have shown us where this trend is going; Herodotus now adds a “realism” layer to target possible detection driven by deeper signals.

What users can do now to reduce their mobile risk

Most of the victims are tricked into installing a bad app or giving risky permissions. Do some due diligence instead — stick with reputable sources, keep Play Protect switched on (it is), and don’t trust messages that tell you to install “security” or “banking” tools from a link. Open Settings and check which apps have Accessibility access — remove anything you don’t recognize (take note if older software has been left behind) or you really need.

If you think your phone is compromised, uninstall any unfamiliar apps, turn off Accessibility for all but the tools you can’t live without, and run a fresh security check. Contact your bank immediately, change financial and email account passwords, and reset the device if suspicious activity persists.

The bottom line on Herodotus and defending against it

By forcing people to act more like robots, Herodotus undermines the defenses that focus on bot-like speed. That doesn’t mean it’s unstoppable, but it does require layered detection that monitors the device environment, not just the user’s movements. For both consumers and banks, vigilance around accessibility abuse, overlays, and app provenance is now just as important as catching such fast-fingered bots.

Image: zap3lon. Learn the risk of sideloading from untrusted websites. Yes, while Google claims its app store keeps less than 1 percent of the apps downloaded on an Android phone infected with malware, the issue becomes more critical when you sideload apps onto your mobile device, rushing to install a game or utility from some unknown developer without verifying its source. Herodotus fills that gap, reminding us all that the safest app is one you’ve never installed.