Full Report
New Android malware tries to “humanize” the actions attackers perform during remote control.
Analysis Summary
# Tool/Technique: Herodotus Malware
## Overview
Herodotus is a new Android banking malware discovered by ThreatFabric that aims to steal money from banking apps and online accounts by taking full remote control of infected devices. Its defining characteristic is its attempt to evade detection by "humanizing" remote control actions, specifically by inputting data character-by-character with realistic typing delays.
## Technical Details
- Type: Malware family (Banking Trojan)
- Platform: Android
- Capabilities: Remote control, overlay attacks, credential theft, SMS interception (for OTPs), screen reading via Accessibility features, human-like input simulation.
- First Seen: The article date is October 28th, 2025, suggesting recent discovery/activity around that time.
## MITRE ATT&CK Mapping
While specific mappings for this new malware are not explicitly stated in the text, based on its observed functions, common mappings for Android banking malware apply:
- **TA0001 - Initial Access**
- T1566 - Phishing
- T1566.001 - Spearphishing Attachment (Distribution via SMS trickery)
- **TA0002 - Execution**
- T1204 - User Execution (Users tricked into downloading malicious installer)
- **TA0005 - Defense Evasion**
- T1027 - Obfuscated Files or Information (Evasion via humanized typing simulation)
- **TA0006 - Credential Access**
- T1003 - OS Credential Dumping / T1555 - Credentials from Provisioning/Access (Stealing banking credentials)
- **TA0008 - Lateral Movement** (Implied via full device control)
- **TA0010 - Exfiltration**
- **TA0011 - Command and Control**
- **TA0015 - Automation** (Used to leverage Accessibility features)
## Functionality
### Core Capabilities
- **Remote Control:** Takes full control over the victim's phone.
- **Overlay Attacks:** Displays fake screens over legitimate banking/cryptocurrency applications to capture credentials.
- **SMS Interception:** Captures incoming Short Message Service (SMS) messages, typically used for One-Time Passcodes (OTPs).
- **Accessibility Exploitation:** Leverages Android's Accessibility features to read screen contents.
### Advanced Features
- **Humanized Input Simulation:** Instead of rapidly entering data (which flags automation), the malware types each character separately, introducing random pauses between 0.3 to 3 seconds to mimic natural human typing cadence, serving as a sophisticated evasion technique against behavioral-based fraud controls.
## Indicators of Compromise
- File Hashes: None provided in the text.
- File Names: The malware was observed under different disguises:
- **Banca Sicura** (Italy, posing as "Safe Bank")
- **Modulo Seguranca Stone** (Brazil, posing as a security module for a local payment provider)
- Registry Keys: Not applicable (Android environment).
- Network Indicators: None explicitly provided (all potential C2 servers are defanged).
- Behavioral Indicators:
- Automated actions (like form filling) executed with simulated human typing patterns (0.3-3 second pauses between individual characters).
- Installation via malicious installers distributed via SMS.
## Associated Threat Actors
- Developed by a hacker operating under the alias **K1R0**.
- Advertised for sale as a tool as a service on underground forums.
- Campaigns observed in **Italy** and **Brazil**.
## Detection Methods
- **Signature-based detection:** Standard malware scanning would be used, but evasion techniques suggest signature updates are required.
- **Behavioral detection:** Traditional fraud controls relying solely on interaction tempo or keystroke cadence may be bypassed due to the humanized typing simulation. Detection is most effective when paired with environmental monitoring (see Mitigation).
- **YARA rules:** None provided in the text.
## Mitigation Strategies
- **Fraud Controls Enhancement:** Banks and payment providers should implement security measures that look beyond simple interaction tempo and pair behavioral monitoring with device environment analysis to detect threats like Herodotus.
- **User Education:** Caution against installing apps distributed via unverified sources (e.g., SMS links).
- **Accessibility Restriction:** Reviewing and minimizing the scope of Accessibility Services granted to applications.
## Related Tools/Techniques
- Other modern Android banking trojans that utilize overlays and Accessibility features (e.g., banking trojans like FluBot, Anubis, etc., though Herodotus's unique selling point is the typing emulation).