New Android Banking Trojan Herodotus Evades Detection by Mimicking Human Typing

A troubling new threat is targeting Android users worldwide. Herodotus, a banking trojan first advertised on underground forums in September 2025, represents a dangerous evolution in mobile malware sophistication. This malware completely takes over infected devices while mimicking human behavior to avoid detection by advanced security systems, and it’s available as Malware-as-a-Service, meaning cybercriminals with minimal technical expertise can rent access to launch attacks against Houston businesses.

 What Herodotus Does

The malware operates as a complete device takeover trojan that exploits Android’s accessibility services to gain control over infected devices while mimicking human behavior to bypass detection systems.

• Intercepts two-factor authentication codes sent via SMS messages
• Displays fake login screens over legitimate banking applications to capture credentials
• Grants itself system permissions automatically without user knowledge
• Introduces random delays between 300 to 3000 milliseconds when typing to mimic natural human behavior
• Deploys blocking overlays that hide fraudulent activity behind fake loading screens
• Performs swipes, clicks, and text input with human-like timing patterns

What sets Herodotus apart is its human-like typing behavior. Traditional malware pastes text instantly, triggering security alerts. Herodotus deliberately mimics natural typing rhythm, making it harder for behavioral biometric systems to identify automated fraud.

(Source: ThreatFabric)

 Who’s Behind This Attack

A threat actor operating under the alias “K1R0” is actively developing and marketing Herodotus through underground cybercriminal forums, making this advanced threat accessible to criminals worldwide.

• First advertised on underground forums in September 2025 as a Malware-as-a-Service rental platform
• Shares code components with the Brokewell banking trojan, including direct code references
• Operates under a rental model making advanced attacks accessible to less skilled cybercriminals
• Continues active development with plans to expand targeting to additional countries and institutions

The Malware-as-a-Service model makes Herodotus particularly dangerous for Houston businesses. This rental approach enables multiple criminals to launch coordinated attacks simultaneously, dramatically increasing the threat scope.

 Severity and Risk Assessment

Herodotus represents a high-severity threat that specifically targets advanced fraud detection systems, creating multiple risk factors that Houston businesses must address immediately.

• Successfully bypasses behavioral biometric systems that analyze user interaction patterns
• Works across Android versions 9 through 16, covering the vast majority of active devices
• Available as Malware-as-a-Service, ensuring widespread adoption across criminal organizations
• Includes specific overlay pages targeting U.S. financial institutions

Financial institutions rely on behavior-based fraud detection monitoring how users interact with mobile banking apps. Herodotus represents a direct attempt to defeat these protections, potentially rendering them ineffective against this malware generation.

 Active Campaigns and Geographic Spread

While initial attacks concentrated in Europe and South America, evidence indicates Herodotus operators are preparing for expanded campaigns targeting U.S. businesses and financial institutions.

• Active campaigns targeting users in Italy and Brazil with apps disguised as banking and security tools
• Overlay pages discovered for U.S., Turkey, United Kingdom, and Poland financial organizations
• Cryptocurrency wallets and exchanges across all regions included in targeting lists
• Multiple command and control server subdomains suggest different criminal groups operating regional campaigns

The presence of U.S.-specific targeting overlays means operators have already invested resources in preparing attacks against American financial institutions, making Houston businesses and their employees attractive targets for criminals seeking high-value accounts.

(Source: ThreatFabric)

 How Herodotus Infects Devices

Distribution relies on social engineering tactics that exploit human trust to trick users into installing malicious applications designed to bypass Android security features.

• SMS phishing messages deliver malicious links appearing to come from legitimate organizations
• Dropper applications masquerade as trusted software like Google Chrome or security tools
• Social engineering creates urgency to pressure users into clicking links without scrutiny
• Downloads occur outside Google Play Store, bypassing official app vetting processes

Employee education provides the most effective defense against these distribution tactics. When Houston business staff can recognize smishing messages and understand the dangers of installing apps from text message links, they become the first line of defense.

 The Infection Chain

Once users download and execute the dropper application, Herodotus follows a carefully orchestrated infection sequence designed to gain maximum device control while avoiding detection.

• Dropper installs the Herodotus payload using techniques bypassing Android 13+ security restrictions
• Automatically opens accessibility settings page, prompting users to enable accessibility services
• Displays fake loading screens to hide suspicious permission grants occurring in the background
• Collects list of all installed applications and transmits inventory to command and control servers
• Receives targeting instructions specifying which apps to overlay with fake login screens
• Waits for victims to open targeted banking applications, then immediately displays fake login screens

After establishing control, Herodotus enables real-time device takeover attacks where criminals remotely view screens, intercept SMS authentication codes, and conduct fraudulent transactions while the malware’s human-like behavior helps evade detection systems.

 Who Is at Risk

The scope of potential victims extends beyond individual consumers to encompass entire business organizations whose employees use Android devices for work-related purposes.

• Small and medium-sized businesses lacking enterprise mobile device management systems
• Employees using personal Android devices to access work email or corporate resources
• Financial services, retail, oil and gas, healthcare, and professional services firms
• Cryptocurrency investors and traders managing digital assets through Android wallet applications
• Small business owners who manage company finances through mobile banking applications
• Any employee with access to corporate accounts or sensitive business information on Android devices

The device takeover capabilities mean attackers can access any application or data on infected phones, extending risk beyond just banking apps. Once Herodotus establishes control, corporate email, cloud storage, messaging applications, and VPN connections all become accessible to criminals.

 Protection and Remediation

Defending against Herodotus requires a multi-layered security approach combining technical controls, policy enforcement, and employee education.

• Implement mobile device management solutions for all devices accessing company resources
• Establish policies permitting application installations only from Google Play Store
• Deploy app-based authenticators or hardware security keys instead of SMS-based two-factor authentication
• Conduct regular security awareness training addressing SMS phishing tactics
• Monitor managed devices for suspicious accessibility service usage
• Implement network-level security detecting and blocking command and control communications
• Create incident response procedures for mobile device compromise with clear escalation paths

Organizations must recognize that mobile devices represent legitimate attack vectors requiring the same attention as traditional endpoints like laptops and desktop computers.

 For Infected Devices

If employees suspect device compromise, immediate action is critical to prevent or minimize fraud and data loss.

• Immediately disconnect the device from all cellular and Wi-Fi networks
• Contact financial institutions from a separate device to report potential compromise
• Change passwords for all accounts accessed from the infected device using a different, trusted device
• Review recent transactions for unauthorized activity and report suspicious transactions immediately
• Factory reset the infected device completely, erasing all data and applications
• Restore only from backups created before the suspected infection date

Time is critical when dealing with active device takeover attacks. Criminals can conduct multiple fraudulent transactions within minutes once they gain access, making quick recognition and response essential to reducing potential losses.

 How CinchOps Can Help

Protecting Houston businesses from sophisticated mobile threats like Herodotus requires comprehensive managed IT support extending beyond traditional network security. CinchOps delivers the expertise and technology necessary to defend against advanced malware and prevent device takeover attacks.

Our Managed IT Support and Cybersecurity Services Include:

• Mobile device management implementation controlling application installations and enforcing security policies across all devices
• Security awareness training programs educating employees about mobile threats and SMS phishing tactics
• Network security solutions detecting and blocking command and control communications from infected devices
• Multi-factor authentication deployment beyond vulnerable SMS-based codes
• Continuous monitoring and threat intelligence keeping your organization informed about emerging threats
• Incident response planning and support for mobile device compromise scenarios

CinchOps brings decades of experience securing Houston businesses against evolving threats. We partner with you to build comprehensive security strategies tailored to your specific business needs and risk profile. Contact CinchOps today to discuss how our managed IT support and cybersecurity services can protect your Houston business from mobile malware and device takeover attacks.

 Discover More 

Discover more about our enterprise-grade and business protecting cybersecurity services: CinchOps Cybersecurity
Discover related topics: The 2025 Midyear Cyber Risk Report: Houston Businesses Face Evolving Ransomware Threats
For Additional Information on this topic: New Android Malware Herodotus Mimics Human Behaviour to Evade Detection

FREE CYBERSECURITY ASSESSMENT