Beware this humanized password stealer.
SOPA Images/LightRocket via Getty Images
Updated October 29 with a statement from Google concerning the latest threat to Android users and how they are being protected from the Herodotus malware.
Well, it’s been quite the week or so for Google users. What with the news that Gmail passwords were confirmed as being included as part of a 183 million credentials infostealer log, two emergency security updates for Chrome, and an announcement of a wait until October 2026 for HTTPS by default for Chrome browser users as well. Now, harking back to credential-stealers once more, comes the confirmation of a new threat to Android users in the shape of the Herodotus malware that can bypass biometric detection by mimicking human behavior. Here’s what you need to know.
ForbesUpdate Now As Microsoft Confirms New Windows Admin ProtectionBy Davey WinderThe Android User Threat Posed By Herodotus
Newly published research from mobile threat intelligence specialists ThreatFabric has confirmed that a nasty piece of Android malware called Herodotus can mimic human typing and other behaviors to steal passwords and financial credentials while bypassing biometric detection protections.
“During routine monitoring of malicious distribution channels,” the ThreatFabric report stated, “the Mobile Threat Intelligence service discovered unknown malicious samples.” These turned out to be a new Android banking trojan by the name of Herodotus which, the analysts said, introduces “groundbreaking techniques to evade detection systems,” to the mobile threat landscape.
This is no idea threat or research that is confined to security research labs, either. Active attack campaigns have already been identified in Brazil and Italy, and there is no reason to suspect they will not spread further afield as the malware-as-a-service offering is currently being marketed on underground cybercriminal forums.
What flags Herodotus as being different to other banking trojans, the report warned, is the ability to mimic human behaviour during remote control sessions. “The trojan deploys fake credential-harvesting screens over legitimate banking applications,” ThreatFabric said, “capturing login credentials and two-factor authentication codes through SMS interception.” But the text input automation during an attack employs “a novel technique where operator-specified text is split into individual characters, with each character set separately at randomized intervals.”
This human-like typing, with random delays of set text events of between 300 to 3000 milliseconds between character input, can evade those biometric protection systems that measure such typing timing. “Android malware containing delays in input is not in itself uncommon,” Aditya Sood, vice-president of Security Engineering at Aryaka, told me, “as they’re typically implemented to allow targeted app UIs to respond to inputs.” But Sood warned that the random nature of the delays, in both frequency and duration, is problematic. “This is a novel technique, and while it’s still under development, successful Brazilian and Italian phishing campaigns exemplify its dangerous potential.”
ForbesPayPal Users Warned ‘Do Not Pay, Do Not Phone’ As Attackers StrikeBy Davey Winder
“Based on our current detection, no apps containing this malware are found on Google Play. Android users are automatically protected against known versions of this malware by Google Play Protect, which is on by default on Android devices with Google Play Services. Google Play Protect can warn users or block apps known to exhibit malicious behavior, even when those apps come from sources outside of Play,” a Google spokesperson said.