Full Report
A new Android malware family, Herodotus, uses random delay injection in its input routines to mimic human behavior on mobile devices and evade timing-based detection by security software. [...]
Analysis Summary
# New Herodotus Android Malware Fakes Human Typing to Avoid Detection
=================================================================
## Key Points
- A new Android malware family, Herodotus, uses random delay injection in its input routines to mimic human behavior on mobile devices and evade timing-based detection by security software.
- Herodotus is offered as a malware-as-a-service (MaaS) to financially motivated cybercriminals, believed to be the same operators behind Brokewell.
- The malware is spread through SMS phishing (smishing) text messages that install a custom dropper and attempt to bypass Accessibility permission restrictions present in Android 13 and later.
## Threat Actors
- Believed to be the same operators behind Brokewell
- Currently being deployed by several threat actors, based on detection of seven distinct subdomains
## TTPs
- Random delay injection in input routines to mimic human behavior
- Use of a 'humanizer' mechanism for text input action, causing it to type with random delays of 0.3 to 3 seconds
- Custom SMS text and overlay pages mimicking banking and crypto apps to steal account credentials
- Opaque overlays that hide fraud from the victim
- SMS stealer for two-factor authentication code interception
## Affected Systems
- Android devices running Android 13 and later
- Specifically targeted at Italian and Brazilian users through SMS phishing (smishing) text messages
## Mitigations
- Avoid downloading APK files from outside Google Play unless explicitly trusted
- Ensure Play Protect is active on device
- Scrutinize and revoke risky permissions, such as Accessibility, for newly installed apps