Herodotus Mobile Malware

Security researchers have uncovered a new Android banking trojan named Herodotus that is being used in active device‑takeover (DTO) campaigns. Early activity has been observed targeting users in Italy and Brazil, and analysis indicates the malware is offered as Malware‑as‑a‑Service (MaaS). 

Bogus Chrome Dropper, SMiShing, And Side‑loading

Operators distribute Herodotus via dropper applications that impersonate legitimate apps (reportedly masquerading as Google Chrome with package names like com.cd3.app) and lure victims through SMS phishing and other social‑engineering vectors. Once the dropper is installed (often through side‑loading), it fetches and installs the malicious payload. 

Capabilities Of Herodotus

• Abuse Android Accessibility services to control the screen, present opaque overlays, and display fake login pages over banking and crypto apps.
• Intercept and exfiltrate on‑screen content and SMS messages (including 2FA codes).
• Grant itself extra permissions, capture lock‑screen PINs or patterns, install remote APKs, and persist inside live sessions rather than just stealing static credentials.
• Log keystrokes, stream screens, and perform remote input actions to carry out account takeover. 

'Humanizing' Remote Fraud To Beat Behavioral Detectors

Herodotus' standout feature is its attempt to mimic human interaction timing. The malware can add randomized delays between automated input events (reported delay range ~300–3,000 milliseconds) so remote typing looks more like a real user and less like machine speed — a clear effort to bypass timing‑ or behavior‑based anti‑fraud and biometric detection. This timing randomization is being described as a deliberate attempt to defeat defenses that rely primarily on input tempo and keystroke cadence. 

Connections To Brokewell

Analysis shows Herodotus is not simply a new version of Brokewell, but it appears to have reused techniques and code fragments (including obfuscation methods and literal references such as markers like 'BRKWL_JAVA') from Brokewell and other families — effectively stitching known components into a new, actively developed strain. 

Geographic Scope And Targets

Researchers have recovered overlay pages tailored for banks in the U.S., Turkey, the U.K., and Poland, and for cryptocurrency wallets and exchanges — evidence the operators are broadening target geography and verticals beyond the initial Italy/Brazil sightings. The project is actively under development and marketed to other fraud actors via underground forums. 

Practical Actions To Prioritize

• Treat behavior‑only anti‑fraud solutions as one signal in a layered defense: combine device posture, integrity checks (detect accessibility abuse and side‑loaded apps), network telemetry, and transaction risk scoring.
• Detect and block side‑loading and unauthorized package installations; monitor for suspicious overlay windows and accessibility service usage on endpoints.
• Enforce strong multi‑factor authentication (push or hardware tokens over SMS where possible), device hardening, and timely OS/app updates.
• Implement transaction throttles and secondary verification for high‑risk actions that could be abused during a live session. 

Technical Takeaway

Unlike simple credential‑harvesting trojans, Herodotus is designed to remain active during live sessions and to carry out remote, session‑preserving account takeovers. That makes real‑time detection and in‑session mitigations (for example, detecting overlays, unusual input patterns that are inconsistent with device state, or simultaneous screen streaming) especially important.