Herodotus: The Android Malware That Types Like You Do to Steal Your Money

A new and cunning threat has emerged in the world of Android malware, designed to sidestep traditional fraud detection by mimicking human behavior. 

Named Herodotus, this banking Trojan is making waves for its sophisticated ability to remotely control infected devices, meticulously stealing money from banking and online accounts. Developed by a hacker known as K1R0, Herodotus is even being advertised as a service on underground forums, signaling a potentially widespread threat.

Researchers at ThreatFabric have been tracking active campaigns utilising Herodotus, observing its presence in Italy and Brazil. In Italy, it masqueraded as "Banca Sicura," a seemingly innocuous "Safe Bank" app. Brazilian users encountered it disguised as "Modulo Seguranca Stone," likely impersonating a security module for a local payment provider. 

The malware also creates deceptive overlay pages for legitimate banking and cryptocurrency apps across numerous countries, including the U.S, U.K, Turkey and Poland, aiming to trick users into revealing their credentials. 

Given its ongoing development, experts anticipate Herodotus will continue to evolve and become a significant player in global cybercrime.

The operational mechanics of Herodotus are similar to many modern Android banking Trojans. It typically spreads through deceptive SMS messages that lure users into downloading a malicious installer. Once installed, the malware lies in wait. When a targeted banking or payment app is launched, Herodotus springs into action, displaying a fake overlay screen that perfectly mimics the legitimate interface. This allows it to steal login credentials and even intercept one-time passcodes delivered via SMS. It further exploits Android’s accessibility features to gain comprehensive insight into what’s displayed on the device screen.

What truly sets Herodotus apart, however, is its innovative approach to remote control. Unlike most automated malware that pastes data instantly, Herodotus strives to "humanise" its actions. When inputting account or transaction details, it types each character individually, incorporating random pauses of approximately 0.3 to 3 seconds between keystrokes. This deliberate, staggered typing effectively simulates human input, making it incredibly difficult for standard fraud detection systems, which often flag instantaneous data entry as suspicious, to identify the malicious activity.

This advanced tactic presents significant challenges for financial institutions. While fraud controls that analyse interaction tempo and keystroke cadence can still be effective, ThreatFabric emphasises that these measures are most robust when combined with other security protocols. These comprehensive systems should not only monitor user behavior but also scrutinise the device environment to pinpoint threats like Herodotus. As mobile malware becomes increasingly sophisticated, a multi-layered security approach is paramount to protecting users and financial systems from these evolving dangers.