
Herodotus
Herodotus is a new Android banking malware that uses dropper apps and SMS phishing to sneak into people's phones. It takes over devices, steals passwords and two-factor authentication tokens, and installs APKs from afar by misusing Android's accessibility and overlay features. The infection changes the timing and order of typing and other inputs on purpose to make it look like a person is doing it and get beyond timing-based anti-fraud systems.
Indicators of Compromise
Domains (2)
gj23j4jg.google-firebase.digitalgoogle-firebase.digitalHashes (1)
53ee40353e17d069b7b7783529edda968ad9ae25a0777f6a644b99551b412083Notes
<div class="content-body"> <span class="content-title">CONCLUSION</span> <p class="content-description">HermesTypist (Herodotus family) is a dangerous Android banking malware that uses accessibility abuse, overlay assaults, SMS interception, and a new method for avoiding humanized typing. It spreads by droppers that seem like real apps and is meant to take over accounts and steal money. It's hard to find the spyware because it tries to act like a person and uses real Android APIs.</p> <p class="content-title">How SOCRadar Can Help:</p> <p class="content-description"><span class="content-title">• Threat Intelligence Feeds:</span><br> Within SOCRadar’s <span class="content-title">Cyber Threat Intelligence</span> module, the <span class="content-title">Threat Feed & IOC Management</span> and <span class="content-title">Threat Actor Tracking</span> submodules aggregate data from threat reports, OTX-style pulses, and news sources. They correlate IoCs, such as malicious APK package names or C2 domains, with campaign tracking dashboards, allowing analysts to visualize, contextualize, and block HermesTypist-related indicators in real time.</p> <p class="content-description"><span class="content-title">• Malware Analysis:</span><br> The <span class="content-title">Malware Analysis Sandbox</span>, part of the Cyber Threat Intelligence module, automatically extracts metadata from suspicious Android samples (e.g., strings, permissions, class names) and generates YARA rule recommendations. This accelerates detection rule creation, validation, and threat correlation for analysts.</p> <p class="content-description"><span class="content-title">• Mobile Threat Hunting / EDR Integration:</span><br> Through the <span class="content-title">Threat Hunting</span> submodule, SOCRadar detects anomalous mobile behaviors such as accessibility-service abuse, overlay activation, and APK side-loading. These detections can be surfaced in a unified dashboard and forwarded to SIEM or EDR systems, triggering automated alerts and Sigma-based detections.</p> <p class="content-description"><span class="content-title">• Risk & TTP Mapping:</span><br> SOCRadar maps collected IoCs and behavioral telemetry to relevant MITRE ATT&CK techniques, such as Accessibility Abuse, SMS Capture, and Overlay Attacks, via its Threat Actor Tracking and Threat Hunting capabilities. This tight integration shortens triage time and ensures SOC teams can apply the right ATT&CK-aligned mitigations efficiently.</p> </div>
Mitigation
<div class="content-container"> <span class="content-title">T1417 - Input Capture</span> <div> <table> <colgroup> <col> <col> <col> </colgroup> <tbody> <tr> <th>ID</th> <th>Mitigation</th> <th>Description</th> </tr> <tr> <td><p><a href="https://attack.mitre.org/mitigations/M1012">M1012</a></p></td> <td><p><a href="https://attack.mitre.org/mitigations/M1012">Enterprise Policy</a></p></td> <td><p>When using Samsung Knox, third-party keyboards must be explicitly added to an allow list in order to be available to the end-user.<a href="https://web.archive.org/web/20201112021547/https://support.samsungknox.com/hc/en-us/articles/360001485027-3rd-party-keyboards-must-be-whitelisted-">[4]</a></p><p>An EMM/MDM can use the Android <span>DevicePolicyManager.setPermittedAccessibilityServices</span> method to set an explicit list of applications that are allowed to use Android's accessibility features.</p></td> </tr> <tr> <td><p><a href="https://attack.mitre.org/mitigations/M1006">M1006</a></p></td> <td><p><a href="https://attack.mitre.org/mitigations/M1006">Use Recent OS Version</a></p></td> <td><p>The <span>HIDE_OVERLAY_WINDOWS</span> permission was introduced in Android 12 allowing apps to hide overlay windows of type <span>TYPE_APPLICATION_OVERLAY</span> drawn by other apps with the <span>SYSTEM_ALERT_WINDOW</span> permission, preventing other applications from creating overlay windows on top of the current application.<a href="https://developer.android.com/about/versions/12/features">[5]</a></p></td> </tr> <tr> <td><p><a href="https://attack.mitre.org/mitigations/M1011">M1011</a></p></td> <td><p><a href="https://attack.mitre.org/mitigations/M1011">User Guidance</a></p></td> <td><p>Users should be wary of granting applications dangerous or privacy-intrusive permissions, such as keyboard registration or accessibility service access.</p></td> </tr> </tbody> </table> </div> <span class="content-title">T1204.001 - Malicious Link</span> <div> <table> <colgroup> <col> <col> <col> </colgroup> <tbody> <tr> <th>ID</th> <th>Mitigation</th> <th>Description</th> </tr> <tr> <td><p><a href="https://attack.mitre.org/mitigations/M1031">M1031</a></p></td> <td><p><a href="https://attack.mitre.org/mitigations/M1031">Network Intrusion Prevention</a></p></td> <td><p>If a link is being visited by a user, network intrusion prevention systems and systems designed to scan and remove malicious downloads can be used to block activity.</p></td> </tr> <tr> <td><p><a href="https://attack.mitre.org/mitigations/M1021">M1021</a></p></td> <td><p><a href="https://attack.mitre.org/mitigations/M1021">Restrict Web-Based Content</a></p></td> <td><p>Determine if certain websites or attachment types (ex: .scr, .exe, .pif, .cpl, etc.) that can be used for phishing are necessary for business operations and consider blocking access if activity cannot be monitored well or if it poses a significant risk.</p></td> </tr> <tr> <td><p><a href="https://attack.mitre.org/mitigations/M1017">M1017</a></p></td> <td><p><a href="https://attack.mitre.org/mitigations/M1017">User Training</a></p></td> <td><p>Use user training as a way to bring awareness to common phishing and spearphishing techniques and how to raise suspicion for potentially malicious events.</p></td> </tr> </tbody> </table> </div> <span class="content-title">T1516 - Input Injection</span> <div> <table> <colgroup> <col> <col> <col> </colgroup> <tbody> <tr> <th>ID</th> <th>Mitigation</th> <th>Description</th> </tr> <tr> <td><p><a href="https://attack.mitre.org/mitigations/M1012">M1012</a></p></td> <td><p><a href="https://attack.mitre.org/mitigations/M1012">Enterprise Policy</a></p></td> <td><p>An EMM/MDM can use the Android <span>DevicePolicyManager.setPermittedAccessibilityServices</span> method to set an explicit list of applications that are allowed to use Android's accessibility features.</p></td> </tr> <tr> <td><p><a href="https://attack.mitre.org/mitigations/M1011">M1011</a></p></td> <td><p><a href="https://attack.mitre.org/mitigations/M1011">User Guidance</a></p></td> <td><p>Users should be warned against granting access to accessibility features, and to carefully scrutinize applications that request this dangerous permission.</p></td> </tr> </tbody> </table> </div> <span class="content-title">T1566 - Phishing</span> <div> <table> <colgroup> <col> <col> <col> </colgroup> <tbody> <tr> <th>ID</th> <th>Mitigation</th> <th>Description</th> </tr> <tr> <td><p><a href="https://attack.mitre.org/mitigations/M1049">M1049</a></p></td> <td><p><a href="https://attack.mitre.org/mitigations/M1049">Antivirus/Antimalware</a></p></td> <td><p>Anti-virus can automatically quarantine suspicious files.</p></td> </tr> <tr> <td><p><a href="https://attack.mitre.org/mitigations/M1047">M1047</a></p></td> <td><p><a href="https://attack.mitre.org/mitigations/M1047">Audit</a></p></td> <td><p>Perform audits or scans of systems, permissions, insecure software, insecure configurations, etc. to identify potential weaknesses.</p></td> </tr> </tbody> </table> </div> </div>