Cybersecurity researchers have disclosed details of a new Android banking trojan called Herodotus that has been observed in active campaigns targeting Italy and Brazil to conduct device takeover (DTO) attacks.
“Herodotus is designed to perform device takeover while making first attempts to mimic human behaviour and bypass behaviour biometrics detection,” ThreatFabric said in a report shared with The Hacker News.
The Dutch security company said the Trojan was first advertised in underground forums on September 7, 2025, as part of the malware-as-a-service (MaaS) model, touting its ability to run on devices running Android version 9 to 16.
It’s assessed that while the malware is not a direct evolution of another banking malware known as Brokewell, it certainly appears to have taken certain parts of it to put together the new strain. This includes similarities in the obfuscation technique used, as well as direct mentions of Brokewell in Herodotus (e.g., “BRKWL_JAVA”).
Herodotus is also the latest in a long list of Android malware to abuse accessibility services to realize its goals. Distributed via dropper apps masquerading as Google Chrome (package name “com.cd3.app”) through SMS phishing or other social engineering ploys, the malicious program leverages the accessibility feature to interact with the screen, serve opaque overlay screens to hide malicious activity, and conduct credential theft by displaying bogus login screens atop financial apps.
Additionally, it can also steal two-factor authentication (2FA) codes sent via SMS, intercept everything that’s displayed on the screen, grant itself extra permissions as required, grab the lockscreen PIN or pattern, and install remote APK files.
But where the new malware stands out is in its ability to humanize fraud and evade timing-based detections. Specifically, this includes an option to introduce random delays when initiating remote actions such as typing text on the device. This, ThreatFabric said, is an attempt by the threat actors to make it seem like the input is being entered by an actual user.
“The delay specified is in the range of 300 – 3000 milliseconds (0,3 – 3 seconds),” it explained. “Such a randomization of delay between text input events does align with how a user would input text. By consciously delaying the input by random intervals, actors are likely trying to avoid being detected by behaviour-only anti-fraud solutions spotting machine-like speed of text input.”
ThreatFabric said it also obtained overlay pages used by Herodotus targeting financial organisations in the U.S., Turkey, the U.K., and Poland, along with cryptocurrency wallets and exchanges, indicating that the operators are attempting to actively expand their horizons.
“It is under active development, borrows techniques long associated with the Brokewell banking Trojan, and appears purpose-built to persist inside live sessions rather than simply steal static credentials and focus on account takeover,” the company noted.
