Jun 12, 2026
Table Of Content
Herodotus: The Android Trojan That Types Like You
1. Executive Summary
2. How the Infection Chain Works
3. Human-like Behavior: A New Evasion Layer
4. Campaign Impact
5. Frequently Asked Questions About the Herodotus Malware Campaign
6. Lessons Learned and the SOCRadar Perspective
7. MITRE ATT&CK – Mitigation and Remediation
Conclusion
Related Articles
Oct 31, 2025
7 Mins Read
Herodotus: The Android Trojan That Types Like You
The Herodotus campaign marks a significant milestone in mobile cybercrime for 2025. This advanced Android banking trojan combines Device Takeover (DTO) capabilities with highly refined human-like behavioral mimicry, enabling it to circumvent behavioral biometrics and anti-fraud detection systems.
First identified during active campaigns in Italy and Brazil, it has since expanded its reach to users in the U.S., U.K., Turkey, Poland, and Ireland, quickly becoming one of the most formidable Android threats this year.
Here’s how a sophisticated Android banking malware mimics human behavior to evade detection – and what SOC teams can do about it.
1. Executive Summary
Herodotus primarily infiltrates devices via SMiShing campaigns using malicious SMS links that lead victims to dropper applications masked as trusted banking or security tools. Upon installation, the malware exploits accessibility services and overlay permissions to:
- Steal banking credentials
- Intercept Two-Factor Authentication (2FA) codes
- Simulate user interaction via realistic randomized typing delays ranging from 300 to 3000 milliseconds
The techniques used by Herodotus malware
This carefully engineered randomization allows Herodotus to effectively bypass behavior-based fraud detection systems, which rely heavily on typing rhythms and touch event analysis.
2. How the Infection Chain Works
The infection chain unfolds as follows:
- The victim receives an SMS containing a malicious link to a dropper app disguised as a legitimate banking or security tool (e.g., “Banca Sicura” or “Modulo Seguranca Stone”).
- Upon installation, the app requests Accessibility permissions to gain extensive control over the device.
- It then activates overlay windows to conceal malicious activities from the user’s view.
- The malware sends detailed application inventory data to its Command and Control (C2) server via the MQTT protocol.
- Targeted overlays are downloaded to facilitate credential theft.
Technical Traits:
- Infrastructure based on google-firebase[.]digital domains with dynamic subdomains
- Capable of remote input injection including clicks, swipes, and keypresses
- Uses fake “loading” overlays to mask execution and evade user detection
The Herodotus malware’s infection sequence
3. Human-like Behavior: A New Evasion Layer
Herodotus’s standout innovation is its human typing simulation. Instead of instantly inputting text, it inserts randomized, human-like delays between keystrokes, effectively simulating natural typing cadence.
This unique behavioral mimicry challenges traditional automation detection and pushes Herodotus beyond being a simple automated malware – it becomes a psychologically deceptive threat that exploits how behavioral biometrics systems identify suspicious activity.
4. Campaign Impact
By combining a global distribution network with the Malware-as-a-Service (MaaS) model, Herodotus lowers the barrier to entry for financially motivated cybercriminals. This approach lets cybercriminals rent or buy the malware, removing the need for advanced technical knowledge. Because of this, the threat spreads fast both geographically and across different industries.
Global Spread of Herodotus
First detected in Brazil and Italy, Herodotus quickly expanded to the United States, United Kingdom, Turkey, Poland, and Ireland. This rapid global growth shows how easily MaaS-based malware can cross borders and reach new victims worldwide.
Countries affected by the Herodotus Campaign
Malware-as-a-Service Model
The MaaS structure makes Herodotus attractive to both professional hackers and small criminal groups. By offering ready-to-use tools, it allows attackers to launch campaigns with minimal setup or technical effort. This accessibility increases the number of active threat actors and helps the malware evolve through constant reuse and modification.
Targeted Industries
Recent analysis shows that Herodotus mainly targets users in financial services, fintech, and cryptocurrency wallet platforms. These sectors face higher risk because their users rely heavily on mobile banking and payment applications. Attackers use SMiShing and fake banking apps to steal credentials, bypass security systems, and access sensitive financial data.
5. Frequently Asked Questions About the Herodotus Malware Campaign
What makes Herodotus unique?
Its ability to mimic human typing behavior and introduce randomized delays to evade detection.
How does it spread?
Mainly via SMS phishing and malicious dropper apps.
Which sectors are most at risk?
Financial services including banking, fintech, and crypto wallet holders.
Can traditional antivirus software detect it?
Detection is challenging due to its legitimate use of Accessibility API.
What is the most effective mitigation?
Strict enforcement of Android policy restrictions and device management whitelisting.
Is Herodotus associated with any known APT group?
No confirmed links; attributed to an independent actor named K1R0.
What is the main C2 infrastructure?
google-firebase[.]digital with dynamically generated subdomains.
Is it part of a malware family?
It shares some code with Brokewell but is an independent evolution.
What MITRE techniques are relevant?
Input Capture (T1417), Input Injection (T1516), Phishing (T1566), Malicious Link (T1204.001).
Where can analysts find IoCs?
Top indicators of compromise related to the Herodotus Campaign are:
- 53ee40353e17d069b7b7783529edda968ad9ae25a0777f6a644b99551b412083
- google-firebase.digital
- gj23j4jg.google-firebase.digital
For further IoCs, check AlienVault OTX pulse.
6. Lessons Learned and the SOCRadar Perspective
The Herodotus campaign represents the next generation of mobile banking malware that doesn’t just automate clicks or keystrokes, it imitates real user behavior to evade detection. This shift challenges traditional defenses and highlights why organizations need real-time threat intelligence and proactive cybersecurity strategies.
The SOCRadar Cyber Threat Intelligence module is particularly well-suited to counter campaigns like Herodotus, because it delivers real-time enriched data and threat actor tracking. Additionally, the Dark Web Monitoring module can track posts related to malware service sales and combolists.
SOCRadar’s Cyber Threat Intelligence module, Threat Hunting Rules
Enriched Data and Early Warning
The Cyber Threat Intelligence module provides enriched, real-time data to help security teams detect and understand active threats. It correlates Indicators of Compromise (IoCs) such as C2 domains, APK hashes, and malicious IPs to reveal the bigger picture behind an attack.
7. MITRE ATT&CK – Mitigation and Remediation
To defend against Herodotus, security teams should focus on these key MITRE ATT&CK techniques and countermeasures:
Mitigations
| Technique ID | Technique Name | Mitigation ID | Mitigation Description |
| T1417 | Input Capture | M1012 – Enterprise Policy | Limit accessibility features using allow lists (Samsung Knox, EMM/MDM). |
| T1417 | Input Capture | M1006 – Use Recent OS Version | Deploy Android 12+ devices with HIDE_OVERLAY_WINDOWS to block malicious overlays. |
| T1204.001 | Malicious Link | M1031 – Network Intrusion Prevention | Use NIPS and content scanning to block malicious downloads. |
| T1204.001 | Malicious Link | M1017 – User Training | Train users to recognize phishing links and suspicious attachments. |
| T1516 | Input Injection | M1011 – User Guidance | Warn users about granting Accessibility permissions to unknown apps. |
| T1566 | Phishing | M1054 – Software Configuration | Enable email authentication mechanisms like DMARC, SPF, DKIM to prevent spoofed emails. |
Remediations
| Technique ID | Detection ID | Detection Name | Description |
| T1417 | DET0705 | Detection of Input Capture | Monitor apps requesting Accessibility or overlay permissions. |
| T1204.001 | DET0066 | User Execution – Malicious Link | Detect behavioral chains: user click → outbound connection → file download. |
| T1516 | DET0612 | Detection of Input Injection | Review apps with registered Accessibility Services in device settings. |
| T1566 | DET0070 | Detection Strategy for Phishing | Correlate suspicious email attachments with network or execution activity. |
Conclusion
Herodotus’s ongoing evolution showcases how mobile malware creators expertly blend automation with behavioral deception. This capability to impersonate legitimate user behavior makes it exceptionally resilient against behavioral analytics – far more than traditional banking trojans.
Organizations must defend against such dynamic threats by combining:
- Strong, fine-tuned mobile security policies
- Continuous and informed user awareness training
- Integrated threat intelligence platforms like SOCRadar providing multi-layered protection
By adopting this holistic approach, security teams can better anticipate, detect, and neutralize sophisticated threats such as Herodotus, protecting their users and critical financial assets in an increasingly complex mobile threat landscape.
Primary References:
- ThreatFabric: New Android Malware Herodotus Mimics Human Behaviour to Evade Detection
- AlienVault OTX: Herodotus Campaign Pulse
