
Herodotus
Androidbanking-trojanmobile-malwareaccessibility-abuseoverlay-attacksOTP-theftbehavior-evasionMaaSdevice-takeover
Herodotus is a new Android banking malware that uses dropper apps and SMS phishing to sneak into people's phones. It takes over devices, steals passwords and two-factor authentication tokens, and installs APKs from afar by misusing Android's accessibility and overlay features. The infection changes the timing and order of typing and other inputs on purpose to make it look like a person is doing it and get beyond timing-based anti-fraud systems.
Indicators of Compromise
gj23j4jg.google-firebase.digitalSOCRadar2025-10-31
google-firebase.digitalSOCRadar2025-10-31
Campaign Guidance
Remediation, mitigation, notes, history and related intelligence
T1417 - Input Capture
| ID | Name | Analytic ID | Analytic Description |
|---|---|---|---|
| DET0705 | Detection of Input Capture | AN1825 | The user can view and manage installed third-party keyboards. Application vetting services can look for applications requesting the permissions granting access to accessibility services or application overlay. |
| AN1826 | The user can view and manage installed third-party keyboards. Application vetting services can look for applications requesting the permissions granting access to accessibility services or application overlay. |
T1204.001 - Malicious Link
| ID | Name | Analytic ID | Analytic Description |
|---|---|---|---|
| DET0066 | User Execution – Malicious Link (click → suspicious egress → download/write → follow-on activity) | AN0178 | Behavioral chain: (1) a user-facing app (browser/Office/email client) launches a URL or handles a link, then (2) the same process lineage makes an outbound connection to an untrusted domain/IP, (3) a file is downloaded or unpacked to a user-writable location shortly after the click. Optional enrichment: subsequent child execution by LOLBINs. |
| AN0179 | Behavioral chain: (1) browser/office/GUI mail client opens a URL, (2) outbound connection to untrusted domain, (3) a new file is saved in $HOME/Downloads, /tmp, or cache immediately after. | ||
| AN0180 | Behavioral chain: (1) Safari/Chrome/Firefox/Office handles a URL; unified logs show open/click or LSQuarantine assignment, (2) outbound connection to untrusted domain, (3) a new file appears in ~/Downloads or /private/var/folders/* with quarantine flag. |
T1516 - Input Injection
| ID | Name | Analytic ID | Analytic Description |
|---|---|---|---|
| DET0612 | Detection of Input Injection | AN1666 | The user can view applications that have registered accessibility services in the accessibility menu within the device settings. |
| The user can view applications that have registered accessibility services in the accessibility menu within the device settings. |
T1566 - Phishing
| ID | Name | Analytic ID | Analytic Description |
|---|---|---|---|
| DET0070 | Detection Strategy for Phishing across platforms. | AN0188 | Unusual inbound email activity where attachments or embedded URLs are delivered to users followed by execution of new processes or suspicious document behavior. Detection involves correlating email metadata, file creation, and network activity after a phishing message is received. |
| AN0189 | Monitor for malicious payload delivery through phishing where attachments or URLs in email clients (e.g., Thunderbird, mutt) result in unusual file creation or outbound network connections. Focus on correlation between mail logs, file writes, and execution activity. | ||
| AN0190 | Detection of phishing through anomalous Mail app activity, such as attachments saved to disk and immediately executed, or Safari/Preview launching URLs and files linked from email messages. Correlate UnifiedLogs events with subsequent process execution. |
Observed Countries7
BR (81)
GB (578)
IE (819)
IT (524)
PL (201)
TR (128)
US (555)