ThreatFabric specialists report on a new banking trojan, Herodotus, which is being used in attacks against users in Italy and Brazil. The malware specializes in device takeover and attempts to mimic human behavior to bypass behavioral analysis systems.
Herodotus began being advertised on hacker forums on September 7, 2025, as MaaS (malware-as-a-service). The malware’s developers claim it is suitable for attacks on Android versions 9–16. Although the trojan is not a direct successor to the well-known banking trojan Brokewell, researchers note a clear kinship: similar obfuscation techniques and direct mentions of Brokewell in the code (for example, the string “BRKWL_JAVA”).
The banking trojan is distributed via dropper apps disguised as Google Chrome (package name com.cd3.app), through SMS phishing and other social engineering methods. After installation, Herodotus abuses Android Accessibility services to gain full control of the device.
The basic functionality of Herodotus includes:
- interaction with the screen and UI elements;
- displaying opaque overlays to hide activity;
- showing fake login screens on top of banking apps;
- intercepting SMS messages with two-factor authentication codes;
- recording everything displayed on the screen;
- automatically obtaining any required permissions;
- stealing the PIN or pattern for the lock screen;
- remote installation of additional APK files.
However, the malware’s key feature is its attempt to fool behavioral analysis systems that examine characteristic human activity patterns (typing speed, finger movements, inter-keystroke delays). Thus, during remote text entry, the malware deliberately inserts random delays of 300–3000 milliseconds (0.3–3 seconds) between characters.
“Such delay randomization matches how a real person types,” ThreatFabric explains. “Attackers deliberately slow down input, using random intervals to avoid detection by anti-fraud systems that detect machine-like typing speed.”
This is the first known case of Android malware that deliberately tries to evade security mechanisms based on behavioral analysis.
Initially, Herodotus targeted only users in Italy and Brazil, but researchers have already found overlays for banks and financial institutions in the United States, Turkey, the United Kingdom, and Poland. The malware operators are also interested in cryptocurrency wallets and exchanges, and they are clearly expanding the geographic scope of their attacks.
“The Trojan is under active development, borrows techniques from Brokewell, and is designed not for the simple theft of static credentials, but to persist within active sessions with a focus on account takeover,” the researchers conclude.