Herodotus: The Android Trojan That Types Like a Human

A new Android banking Trojan named Herodotus is redefining the sophistication of mobile malware by mimicking human behavior to bypass modern anti-fraud systems. 

First observed by ThreatFabric’s Mobile Threat Intelligence team, Herodotus blends automation, deception, and behavioral mimicry to outsmart biometric defenses that typically identify robotic input patterns.

“Herodotus is designed to perform Device-Takeover while making first attempts to mimic human behaviour and bypass behaviour biometrics detection,” ThreatFabric researchers reported.

Malware-as-a-Service goes mobile

Herodotus emerged in mid-2025 during ongoing monitoring of malicious distribution points, where researchers noticed previously unseen Android samples distributed alongside known malware like Hook and Octo. 

Analysis revealed that while Herodotus shares code fragments with the Brokewell malware family, it represents a distinct and evolving threat rather than a direct successor.

Active campaigns have already been detected in Italy and Brazil, where Herodotus has been used to perform device-takeover attacks. 

Its developer, known as K1R0, has also begun advertising the Trojan as a Malware-as-a-Service (MaaS) offering on underground forums — an indication that its capabilities may soon spread globally.

How Herodotus works

Distribution begins with a smishing message that tricks victims into side-loading a malicious app. 

Once installed, the dropper bypasses Android 13’s accessibility restrictions by prompting users to enable Accessibility Services. 

It then deploys a “loading” overlay to hide its background activity while silently granting the malware broad permissions.

Once active on the device, Herodotus can:

• Steal credentials through overlay attacks that mimic legitimate banking screens.
• Intercept SMS messages, including two-factor authentication (2FA) codes.
• Log on-screen activity through accessibility abuse.
• Take full remote control of the infected device.

The Trojan’s command-and-control (C2) communications rely on the MQTT protocol, and multiple subdomains have been linked to live campaigns. 

Researchers identified variants masquerading as Banca Sicura in Italy and Modulo Seguranca Stone in Brazil — both pretending to be security tools for trusted financial institutions.

Human behavior, artificial intent

What truly sets Herodotus apart is its ability to simulate human typing behavior. 

Most banking Trojans perform actions instantaneously using accessibility commands like ACTION_SET_TEXT or clipboard injection, which anti-fraud systems can easily detect as machine-like.

Herodotus takes a subtler approach: it splits text input into individual characters and inserts random delays of 300 to 3,000 milliseconds between each keystroke. 

This timing mirrors human typing speed and irregularity, allowing fraudulent transactions to appear natural to behavioral biometrics engines.

By “humanizing” the interaction, the Trojan can slip past fraud controls that flag automated behavior based on input cadence. 

This innovation makes Herodotus one of the first Android malware families to actively mimic human behavior as a means of avoiding detection.

Reverse engineering revealed that Herodotus borrows code structures and obfuscation methods from Brokewell, a malware family discovered in 2024. 

Both use encrypted strings stored in native code, decrypted dynamically at runtime to resist analysis. 

Herodotus even includes a partial dynamic module from Brokewell, though it currently functions only in limited capacity. 

This overlap suggests the developer may have access to Brokewell’s source code, hinting at possible feature expansion in future versions.

A new era of Android malware

The rise of Herodotus signals a major evolution in mobile banking threats. By blending device takeover, remote control, and behavior simulation, the Trojan effectively undermines many existing anti-fraud systems. 

Traditional detection methods that rely solely on user behavior — like typing speed or screen interaction patterns — may now misclassify these attacks as legitimate activity.

As Herodotus continues to evolve, it could usher in a new wave of Android malware capable of defeating behavioral biometrics and fraud heuristics once considered resilient.

Building mobile defense in layers

To defend against Herodotus and similar Android threats, organizations should adopt a layered mobile security approach that combines technical, behavioral, and human-focused controls:

• Enhance mobile threat detection with MDM or endpoint detection tools that identify malware and flag abnormal Accessibility Service activity.
• Use behavioral context analysis to link user behavior with device telemetry and spot compromised devices.
• Secure Android apps through integrity checks, certificate pinning, and root detection.
• Educate users to avoid side-loading, phishing links, and granting risky Accessibility permissions.
• Leverage threat intelligence to track IOCs and detect Herodotus campaigns early.
• Adopt adaptive authentication combining biometrics, device trust, and continuous identity checks.

Implementing these measures helps organizations build cyber resilience against mobile threats.

When malware starts acting human

Herodotus exemplifies how Malware-as-a-Service operations are using artificial intelligence and behavioral mimicry to defeat modern security systems. 

Its evolution from Brokewell illustrates how threat actors refine existing tools to exploit gaps in detection models.

As mobile banking and remote access continue to expand, defenders must assume that attackers can now behave like real users. 

Only a layered defense — combining device intelligence, user education, and continuous monitoring — can stay ahead of malware that no longer looks or acts like a bot.