Android malware types like your gran to steal banking creds
Summary
Researchers have discovered a new Android trojan called Herodotus that steals banking credentials, logs keystrokes, streams screens and hijacks input — but with a crafty twist: it intentionally inserts random delays between keystrokes so input looks human. The malware combines parts of existing banking malware (Brokewell) with original code, and has been observed in device takeover campaigns in Italy and Brazil.
Herodotus is distributed via a custom dropper (likely through SMS phishing and side-loading), requests Accessibility privileges to control devices, and deploys overlay pages that mimic real banking and crypto apps in multiple countries. The developer (alias “K1R0”) is offering the trojan as a service, suggesting it may spread further as it evolves.
Key Points
- Herodotus is an Android remote‑access trojan that steals credentials, logs keys, intercepts OTPs and can capture fingerprints and PINs.
- A notable evasion technique: it splits operator-supplied text into characters and types them with random delays of 300–3,000 ms to mimic human behaviour and bypass timing-based detection.
- The trojan uses overlays to present fake banking/cryptocurrency app screens in regions including the US, UK, Turkey, Poland, Italy and Brazil.
- Infection appears to rely on side‑loading via SMS phishing links and a bespoke dropper written by the same developer.
- The malware is sold as a service by an actor known as “K1R0”, and ThreatFabric warns it’s still in development and likely to evolve and spread.
Why should I read this?
Because if you thought mobile banking fraud was getting lazy, think again — attackers are making their bots act all human to dodge detection. If you manage security, work in fraud detection, or just use banking apps on Android, this one’s worth a quick skim so you know what to watch out for.
Source
Source: https://www.theregister.com/2025/10/28/android_malware_randomly_delays_texts/