Campaigns
Herodotus

Herodotus

Androidbanking-trojanmobile-malwareaccessibility-abuseoverlay-attacksOTP-theftbehavior-evasionMaaSdevice-takeover
Herodotus is a new Android banking malware that uses dropper apps and SMS phishing to sneak into people's phones. It takes over devices, steals passwords and two-factor authentication tokens, and installs APKs from afar by misusing Android's accessibility and overlay features. The infection changes the timing and order of typing and other inputs on purpose to make it look like a person is doing it and get beyond timing-based anti-fraud systems.

Indicators of Compromise

gj23j4jg.google-firebase.digital
google-firebase.digital

Campaign Guidance

Remediation, mitigation, notes, history and related intelligence

T1417 - Input Capture

ID Name Analytic ID Analytic Description
DET0705 Detection of Input Capture AN1825 The user can view and manage installed third-party keyboards.
Application vetting services can look for applications requesting the permissions granting access to accessibility services or application overlay.
AN1826 The user can view and manage installed third-party keyboards.
Application vetting services can look for applications requesting the permissions granting access to accessibility services or application overlay.

T1204.001 - Malicious Link

ID Name Analytic ID Analytic Description
DET0066 User Execution – Malicious Link (click → suspicious egress → download/write → follow-on activity) AN0178 Behavioral chain: (1) a user-facing app (browser/Office/email client) launches a URL or handles a link, then (2) the same process lineage makes an outbound connection to an untrusted domain/IP, (3) a file is downloaded or unpacked to a user-writable location shortly after the click. Optional enrichment: subsequent child execution by LOLBINs.
AN0179 Behavioral chain: (1) browser/office/GUI mail client opens a URL, (2) outbound connection to untrusted domain, (3) a new file is saved in $HOME/Downloads, /tmp, or cache immediately after.
AN0180 Behavioral chain: (1) Safari/Chrome/Firefox/Office handles a URL; unified logs show open/click or LSQuarantine assignment, (2) outbound connection to untrusted domain, (3) a new file appears in ~/Downloads or /private/var/folders/* with quarantine flag.

T1516 - Input Injection

ID Name Analytic ID Analytic Description
DET0612 Detection of Input Injection AN1666 The user can view applications that have registered accessibility services in the accessibility menu within the device settings.
The user can view applications that have registered accessibility services in the accessibility menu within the device settings.

T1566 - Phishing

ID Name Analytic ID Analytic Description
DET0070 Detection Strategy for Phishing across platforms. AN0188 Unusual inbound email activity where attachments or embedded URLs are delivered to users followed by execution of new processes or suspicious document behavior. Detection involves correlating email metadata, file creation, and network activity after a phishing message is received.
AN0189 Monitor for malicious payload delivery through phishing where attachments or URLs in email clients (e.g., Thunderbird, mutt) result in unusual file creation or outbound network connections. Focus on correlation between mail logs, file writes, and execution activity.
AN0190 Detection of phishing through anomalous Mail app activity, such as attachments saved to disk and immediately executed, or Safari/Preview launching URLs and files linked from email messages. Correlate UnifiedLogs events with subsequent process execution.

Observed Countries7

BR (81)
GB (578)
IE (819)
IT (524)
PL (201)
TR (128)
US (555)