ThreatFabric has profiled a new Android banking trojan dubbed Herodotus that targets users in Italy and Brazil and is already expanding to additional regions. The malware’s standout capability is its deliberate simulation of human‑like input to evade behavioral biometrics used by banks and fintechs to detect automated fraud.
Malware-as-a-Service model and Android 9–16 coverage
According to ThreatFabric, Herodotus has been advertised on underground forums since 7 September 2025 as a malware‑as‑a‑service (MaaS) offering. This subscription model lowers the barrier to entry for operators and accelerates campaign scale‑up. The developers claim support for Android 9–16, covering the vast majority of active devices and increasing potential impact.
Technical lineage: echoes of Brokewell without a direct fork
Herodotus is not a direct fork of the Brokewell banker, yet it employs similar obfuscation techniques and contains explicit code references such as the string “BRKWL_JAVA.” This indicates code and technique borrowing—common across Android banking malware families—and suggests rapid know‑how transfer within the ecosystem.
Infection vectors: Chrome‑themed droppers, SMS phishing, and Accessibility abuse
The trojan spreads via dropper apps masquerading as Google Chrome (package com.cd3.app) and through SMS phishing and other social‑engineering lures. Post‑installation, it requests Accessibility Services privileges and then abuses them to gain near‑full device control, enabling UI interaction, content scraping, and permission harvesting—tactics widely observed in families like SharkBot, TeaBot, Xenomorph, and Brokewell.
Human‑like input simulation defeats behavioral biometrics
Herodotus deliberately randomizes keystroke delays between 300–3000 ms, aligning with human typing variance. By pacing text entry and interactions, the malware reduces signals used by anti‑fraud engines—such as typing cadence, swipe acceleration, and tap rhythm—hindering detection of scripted or bot‑like activity during login and transaction flows.
Geographic expansion and targets beyond banking
While initial activity focused on Italy and Brazil, ThreatFabric has identified overlay templates for financial institutions in the United States, Turkey, United Kingdom, and Poland. Beyond banks, operators are also targeting cryptocurrency wallets and exchanges, mirroring a broader criminal trend to diversify monetization beyond traditional account drains.
Why behavioral analysis evasion raises the risk
Behavioral biometrics has become a cornerstone of mobile anti‑fraud, complementing device risk and identity checks. Herodotus is the first widely reported Android banker to purposefully tune its interaction patterns to appear human, which increases the likelihood of active session takeovers. Once inside a trusted session, actors can initiate transfers, modify payees, and navigate step‑up prompts with reduced scrutiny, diminishing the protective value of one‑time codes and static credentials.
Rapid development and a shift toward account takeover
ThreatFabric assesses that Herodotus is under active development and selectively incorporates successful techniques seen in Brokewell. The operational focus is moving from simple credential theft to real‑time account takeover (ATO), where adversaries hijack and sustain live sessions to execute fraud within the bank’s legitimate app context, increasing transaction success rates.
Mitigation guidance for enterprises and end users
Financial institutions and enterprises should harden mobile channels against Accessibility‑driven automation: restrict sideloading, enforce app allowlists via MDM/EMMMobile Threat Defense (MTD) capable of detecting overlays, Accessibility misuse, UI automation, and anomalous input timing. Combine behavioral biometrics with emulation/script detection, server‑side risk analytics, and in‑session challenge strategies resistant to automated interaction.
Users should scrutinize app permissions, avoid installing apps from untrusted links or SMS, and keep devices updated. If a “Chrome update” request comes from outside the official store or prompts for Accessibility access, it should be treated as suspicious.
Herodotus underscores how quickly fraud tooling adapts to detection controls. By anticipating human‑like automation and testing defenses against timing‑randomized input and overlay attacks, organizations can reduce ATO exposure while maintaining low friction for legitimate customers.
