New Android malware mimics human typing to evade detection, steal money

Steven

New Android malware mimics human typing to evade detection, steal money

Summary

Researchers have identified a new Android banking trojan named Herodotus that evades detection by mimicking human behaviour when remotely controlling infected devices. Reported by ThreatFabric, the tool — attributed to a developer using the handle K1R0 — takes full control of victims’ phones to steal credentials, intercept one-time passcodes and automate fraudulent transactions while attempting to look like a real user.

Key Points

  • Herodotus is an Android banking trojan observed in active campaigns in Italy and Brazil.
  • The malware spreads via SMS lures that prompt victims to install a malicious app disguised as legitimate banking or payment-security software.
  • It overlays fake login/payment screens on top of real apps to harvest credentials and payment details.
  • Herodotus intercepts incoming SMS messages to capture OTPs and abuses Android accessibility features to read device screens.
  • Its standout evasion technique: it types characters individually with random pauses (~0.3–3 seconds) to mimic human keystroke cadence instead of pasting data, defeating simple automation-detection heuristics.
  • The developer has advertised plans to sell the malware as a service on underground forums, suggesting wider spread and further evolution.
  • Fraud controls based solely on interaction tempo or keystroke cadence can be bypassed; combining behavioural signals with device-environment checks is more effective.

Content Summary

Herodotus functions like many modern banking trojans: victims are tricked into installing an app, which then waits for targeted banking or crypto apps to open and displays convincing overlay pages to steal credentials. It also captures SMS OTPs and leverages accessibility APIs to read screen content and execute commands.

What sets it apart is its effort to “humanise” automated inputs. Instead of bulk-pasting account details or passwords, the malware simulates human typing by sending individual keystrokes with variable delays. This reduces obvious automation signals and complicates detection by systems that flag unusually fast or synthetic input patterns.

Context and Relevance

Herodotus illustrates a worrying trend: attackers are engineering malware to mimic genuine human interaction, forcing defenders to rely on richer, multi-faceted detection methods. For banks, payment providers and fraud teams, this means keystroke cadence or tempo alone are becoming insufficient indicators of fraud.

The malware’s presence in Italy and Brazil, plus fake overlays targeting services in the US, UK, Turkey and Poland, indicates a potential for rapid geographic expansion — especially if offered as a service on criminal marketplaces.

Why should I read this?

Short version: this thing types like you do, so basic keystroke checks might give it a free pass. If you work in fraud prevention, mobile security or run a banking/payment service, you need to know this hack exists — and what extra signals to look for. If you’re a consumer, double-check app sources and be suspicious of SMS links. We’ve skimmed the technical bits and pulled out what actually matters for stopping it.

Source

Source: https://therecord.media/android-malware-mimics-humans-avoid-detection