Full Report
Cybersecurity researchers have disclosed details of a new Android banking trojan called Herodotus that has been observed in active campaigns targeting Italy and Brazil to conduct device takeover (DTO) attacks. "Herodotus is designed to perform device takeover while making first attempts to mimic human behaviour and bypass behaviour biometrics detection," ThreatFabric said in a report shared with
Analysis Summary
# Tool/Technique: Herodotus
## Overview
Herodotus is a new Android banking trojan observed in active campaigns targeting financial users in Italy and Brazil. It is designed to perform Device Takeover (DTO) attacks, distinguished by its sophisticated attempts to mimic human behavior to bypass anti-fraud and behavior biometric detection systems. It is offered as Malware-as-a-Service (MaaS).
## Technical Details
- Type: Malware family (Banking Trojan)
- Platform: Android (Versions 9 to 16)
- Capabilities: Device takeover, credential theft, 2FA interception, screen overlay attacks, human-like input simulation.
- First Seen: Advertised in underground forums on September 7, 2025.
## MITRE ATT&CK Mapping
Note: As an Android malware, the mappings below focus on relevant Mobile ATT&CK techniques.
- **TA0001 - Initial Access**
- T3001 - Drive-by Compromise (via social engineering/phishing to install dropper)
- **TA0004 - Privilege Escalation**
- T3004 - Exploit Configuration For Accessibility (Abuse of Accessibility Services)
- **TA0005 - Defense Evasion**
- T3005 - Obfuscation (Borrowing obfuscation techniques from Brokewell)
- T3010 - System Time/Behavior Manipulation (By introducing random input delays)
- **TA0007 - Credential Access**
- T3007 - Input Capture (Keylogging/Screen monitoring)
- T3008 - Credential Dumping (Stealing lockscreen PIN/pattern)
- **TA0010 - Collection**
- T3006 - Data from Local System (Stealing SMS, screen contents)
- **TA0011 - Command and Control**
- T3009 - Communication Channels (Implied C2 communication for receiving instructions/sending exfiltrated data)
## Functionality
### Core Capabilities
- **Device Takeover (DTO):** Primary goal is achieving full control over the device during live sessions.
- **Accessibility Service Abuse:** Leverages Android's Accessibility features to interact with the screen, hide malicious operations, and display fake login screens (overlays).
- **Credential Theft:** Steals banking credentials via overlay screens placed atop legitimate financial applications.
- **2FA Interception:** Captures two-factor authentication codes delivered via SMS.
- **Permission Escalation:** Attempts to automatically grant itself necessary permissions post-installation.
- **Persistence/Delivery:** Distributed via dropper apps (e.g., one variant masqueraded as Google Chrome, package: `com.cd3.app`) delivered through SMS phishing and social engineering.
### Advanced Features
- **Human Behavior Mimicry:** Introduces calculated, random delays (300ms to 3000ms) between text input events (simulating typing). This specifically targets and attempts to evade timing-based anti-fraud solutions that detect machine-speed input.
- **Brokewell Inheritance:** Borrows obfuscation techniques and references (e.g., "BRKWL\_JAVA") from the previous Android banking trojan, Brokewell.
- **Broad Targeting:** Overlay pages suggest targeting financial organizations/apps in the U.S., Turkey, U.K., and Poland, in addition to the initially observed Italy and Brazil, indicating rapid expansion goals.
- **Remote APK Installation:** Capable of installing new APK files remotely onto the compromised device.
## Indicators of Compromise
- File Hashes: *Not specified in the article.*
- File Names: Dropper apps masquerading as legitimate software (e.g., Google Chrome).
- Registry Keys: *Not applicable for Android/No specific information provided.*
- Network Indicators: General mention of C2 activity, but no specific defanged domains or IPs provided.
- Behavioral Indicators: Input streams containing randomized delays between keystrokes (300ms – 3000ms). Unauthorized interaction with system UI via Accessibility Services.
## Associated Threat Actors
- Not explicitly named, but operating under a Malware-as-a-Service (MaaS) model targeting regions across Italy, Brazil, the U.S., Turkey, the U.K., and Poland.
## Detection Methods
- Signature-based detection: Likely possible identifying known binaries or package names (`com.cd3.app`).
- Behavioral detection: Crucial for detecting the unique random time delays introduced during automated data entry. Monitoring for aggressive or unusual API calls related to Accessibility Services.
- YARA rules: *Not specified in the article.*
## Mitigation Strategies
- **Prevention:** Avoid clicking links or downloading applications from unsolicited SMS/social engineering campaigns; only use official app stores.
- **Hardening:** Regularly audit and restrict the permissions granted to third-party applications, especially Accessibility permissions.
- **Risk Management:** Implement advanced anti-fraud systems capable of analyzing input timing and fluidity, not just static credentials.
## Related Tools/Techniques
- **Brokewell:** Herodotus borrows obfuscation techniques and includes references to this progenitor malware.
- **Banking Trojans:** General category of malware focused on financial theft on mobile devices.