Herodotus, from Ancient Greece to Italy and Brazil to fool Android anti-fraud
- Javier Conejo del Cerro
- 29 oct
- 3 Min. de lectura
From the ruins of ancient Troy comes a new digital strategist. The Android banking trojan Herodotus—named after the famed Greek historian—has entered the modern cyber stage with an audacious playbook. Detected in active campaigns across Italy and Brazil, this malware goes beyond data theft: it mimics human behavior to defeat anti-fraud systems. Distributed through SMS phishing and fake Chrome dropper apps, Herodotus hijacks Android devices (versions 9 to 16) to seize full control, execute transactions, and impersonate users.
ThreatFabric researchers describe it as a hybrid built on Brokewell’s code fragments, augmented with deceptive timing that gives its commands the rhythm of human typing.
Phase 1: Deception in the Agora – The lure through social engineering
The campaign begins in the digital equivalent of the ancient marketplace: users’ smartphones.
Victims—primarily mobile-banking and crypto-wallet users in Italy and Brazil—receive SMS messages impersonating trusted entities such as banks, telecoms, or service providers. These messages urge immediate action, prompting recipients to install a fake version of Google Chrome. The trap is designed with persuasive urgency: “update required,” “account verification,” or “pending delivery.”
Once installed, the dropper app disguises itself as Chrome (package name com.cd3.app), using legitimate-looking icons and permissions to avoid suspicion. Overlay pages observed in parallel target banks in the U.S., Turkey, U.K., and Poland, showing that Herodotus’ operators are expanding beyond Latin markets into high-value European and North American financial ecosystems.
Phase 2: The Oratory of Social Engineering – How Herodotus takes over
When the victim grants permissions, the real performance begins.
The dropper requests the REQUEST_INSTALL_PACKAGES permission, enabling it to sideload additional APKs without Google Play validation. Through Accessibility abuse, Herodotus gains deep access to the operating system: it can interact with the UI, capture screens, and self-grant new permissions.
The malware employs opaque overlays to hide malicious activity while showing fake login screens that mimic legitimate banking or crypto apps. At the same time, it can:
Intercept and read SMS messages, including two-factor authentication (2FA) codes.
Extract lock screen PINs or patterns to bypass device protection.
Install or update remote APKs to sustain persistence.
Capture KYC documents, card details, 4-digit ATM PINs, and session tokens for later use.
But what makes Herodotus truly novel is its fraud humanization technique. Instead of executing commands instantly, it introduces random typing delays—between 300 and 3,000 milliseconds—to simulate human input. This prevents behavioral anti-fraud systems from flagging it as automated activity. Each click and keystroke feels “alive,” blending synthetic actions into human rhythm.
Phase 3: The Trojan’s Conquest – Data theft and remote control
Once installed and granted permissions, Herodotus becomes a fully operational remote access trojan (RAT) specialized in Device Takeover (DTO). Attackers can view and control the device in real time—executing commands, transferring funds, or manipulating apps.
The stolen data is exfiltrated to external servers:
Banking credentials, MFA/OTP codes, and credit card information.
Contact lists and session tokens, enabling further phishing or credential stuffing.
KYC documents and photos, allowing identity theft and synthetic account creation.
The campaign’s infrastructure leverages malware-as-a-service (MaaS) distribution, enabling multiple actors to buy access and customize overlays. Researchers note clear Brokewell lineage, including code references like BRKWL_JAVA, showing Herodotus’s evolution from earlier Android trojans. Yet its typing mimicry and session persistence place it among the most sophisticated mobile banking threats of 2025.
Phase 4: Adaptive Evolution – A historian that learns
Unlike traditional credential stealers that exfiltrate static data, Herodotus adapts dynamically to each victim’s actions. Its delayed input feature allows it to stay active during live banking sessions, enabling real-time fraud without triggering anti-fraud systems that rely on typing cadence or transaction velocity.
This level of adaptation suggests an ongoing arms race between behavioral biometrics and human-like automation, where Herodotus marks a milestone in deceptive cybernetics.
Furthermore, its global overlays and selective targeting patterns imply organized operators testing multiple financial ecosystems—expanding from Europe and South America to U.S. and Turkish institutions. Herodotus is not static; it’s learning from its victims.
Measures to fend off the historian’s deception
Organizations and users can take proactive steps to resist this “historian of fraud”:
Install apps only from Google Play or official vendor sites. Never trust download links from SMS or email.
Disable Accessibility permissions for apps that shouldn’t need them.
Restrict the REQUEST_INSTALL_PACKAGES permission to prevent sideloading malware.
Adopt push-based MFA instead of SMS to mitigate OTP interception.
Monitor for overlays and typing anomalies on managed Android devices.
Deploy mobile EDR solutions to detect DTO and Accessibility abuse in real time.
Educate users about fake browser updates and phishing SMS campaigns.
Herodotus shows how far Android banking malware has evolved—from blunt credential theft to behaviorally adaptive impersonation. By merging technical skill with psychological mimicry, it brings social engineering to its most literal form: the malware behaves like us.
As anti-fraud systems get smarter, the adversaries—just like the ancient strategists of Troy—are learning to fight with cunning rather than brute force.
IBM X-FORCE
The Hacker News
Comentarios