""Herodotus is designed to perform device takeover while making first attempts to mimic human behaviour and bypass behaviour biometrics detection," ThreatFabric said in a report shared with The Hacker News. The Dutch security company said the Trojan was first advertised in underground forums on September 7, 2025, as part of the malware-as-a-service (MaaS) model, touting its ability to run on devices running Android version 9 to 16. It's assessed that while the malware is not a direct evolution of another banking malware known as Brokewell, it certainly appears to have taken certain parts of it to put together the new strain. This includes similarities in the obfuscation technique used, as well as direct mentions of Brokewell in Herodotus (e.g., "BRKWL_JAVA")."
"Herodotus is also the latest in a long list of Android malware to abuse accessibility services to realize its goals. Distributed via dropper apps masquerading as Google Chrome (package name "com.cd3.app") through SMS phishing or other social engineering ploys, the malicious program leverages the accessibility feature to interact with the screen, serve opaque overlay screens to hide malicious activity, and conduct credential theft by displaying bogus login screens atop financial apps. Additionally, it can also steal two-factor authentication (2FA) codes sent via SMS, intercept everything that's displayed on the screen, grant itself extra permissions as required, grab the lockscreen PIN or pattern, and install remote APK files."
Herodotus is a new Android banking trojan observed targeting Italy and Brazil to perform device takeover (DTO) attacks. The trojan was advertised in underground forums on September 7, 2025 as malware-as-a-service and claims compatibility with Android versions 9 through 16. The malware reuses obfuscation techniques and explicit references to Brokewell while not being a direct evolution of that family. Herodotus spreads via dropper apps masquerading as Google Chrome (package com.cd3.app) using SMS phishing and social engineering. The malware abuses accessibility services to display overlays, steal credentials, intercept screen content, capture 2FA SMS codes, obtain lockscreen PINs or patterns, grant itself permissions, and install remote APKs. It includes human-like interaction features such as randomized delays to evade timing-based and behavioral-biometrics detections.
Read at The Hacker News
Unable to calculate read time
Collection
[
|
...
]