Finance & Banking
,
Industry Specific

Trojan Poised for Use in Campaigns Across the Globe

Greg Sirico •
October 28, 2025    

'Herodotus' Android Trojan Mimics Human Sluggishness
Image: Shutterstock/ISMG

A new banking Trojan can outsmart basic behavioral detection systems that look for machine behavior by introducing randomized pauses meant to mimic human users, warn mobile security researchers.

See Also: Build a Zero Trust Roadmap for FinServ

Android malware advertised as “Herodotus” by its apparent developer on cybercrime forums injects a randomized pause of up to three seconds whenever a hacker bypasses the keyboard on an infected device to enter account credentials.

Hackers prefer to use Android accessibility services to paste in text rather than engage in remote hands-on keyboard sessions, where bad connections, a misaligned screen image or fat fingers can introduce error. But exploiting accessibility services or using the device clipboard to paste in credentials “can look suspicious and machine-like, raising the question of whether there is a real user interacting with the application and entering the data,” say researchers from fraud-detection firm ThreatFabric.

The solution in Herodotus is a built-in randomized delay between .3 and three seconds meant to stop credential insertion from tripping behavioral detection systems that look for machine-like speed of text input.

Newer generation behavioral biometrics systems that model individual user behavior would still likely detect Trojan behavior, Threat Fabric wrote. But systems that rely on indicators such as input timing may wave through the transaction.

In other respects, Herodotus is much like the many other banking Trojans on offer in the cybercriminal underground. Distribution is done by side-loading apps, likely instigated by smishing messages that contain a link to a dropper. The malware takes advantage of the accessibility service in the Android operating system – a long-abused feature designed to make apps usable through screen readers or touch event handlers. Because accessibility services obtain high level permissions, cybercriminals goad victims into approving them for malicious apps.

The Herodotus app also displays fake banking login site overlays to capture credentials and an SMS stealer to intercept one-time passcodes.

While reverse-engineering Herodotus, ThreatFabric researchers found overlap with another banking Trojan called Brokewell, discovered by ThreatFabric in April 2024. Herodotus developers invoked a Brokewell module, but in a very limited fashion, suggesting that they had access to an already compiled Brokewell module and not the original code.

The app has been active in Italy and Brazil despite its developer classifying it as still in development on cybercrime forums. Code analysis shows overlay pages for financial organizations in the United States, United Kingdom, Poland and Turkey, as well as for crypto wallets and exchanges. “We can expect Herodotus further evolving and used widely in global campaigns,” ThreatFabric said.