Researchers have discovered a new type of banking malware called Herodotus, which is particularly difficult to detect due to its ability to mimic human typing behavior.
Herodotus was developed by a hacker known as “K1R0” who, according to Dutch cybersecurity firm ThreatFabric, has been selling the malware as-a-Service to other cybercriminals.
The malware itself is a banking Trojan that’s delivered via side-loading. Once downloaded, it overlays the applications installed on the victim’s device with fake login pages so that, when the victim enters their credentials, Herodotus can steal them on behalf of the attacker.
This is operationally very similar to many other active banking Trojans. However, Herodotus distinguishes itself by using random delay injection in its input routines to mimic human typing patterns. In other words, rather than automatically pasting details into form fields at once like other Trojans, Herodotus types each character with a random delay of 0.3-3 seconds between keystrokes. This enables it to evade bot and automation detection, session heuristics, and some behavioral biometric detection engines.
“Herodotus, unlike many other banking Trojans, is one of the first to attempt to humanise remote actions,” explains ThreatFabric. “By consciously delaying the input by random intervals, actors are likely trying to avoid being detected by behaviour-only anti-fraud solutions spotting machine-like speed of text input.”
So far, ThreatFabric has observed several active campaigns using Herodotus to target users in Italy and Brazil. In Italy, the malware was disguised under the application name “Banca Sicura” (or “Safe Bank”); in Brazil, it was disguised as “Modulo Seguranca Stone,” a fake security module for a Brazilian payment acquirer.
In its analysis of these campaigns, the company also noted that Herodotus’ overlay pages have been seen targeting financial organizations in the US, UK, Turkey, and Poland, as well as cryptocurrency wallets and exchanges.
“Considering that the malware is still in active development state, we can expect Herodotus further evolving and used widely in global campaigns,” the researchers said.
Staying Safe
To avoid falling victim to a Herodotus attack, Android users should avoid downloading APK files from outside Google Play and ensure that Play Protect is active on their device. As general best practice, it’s also recommended that mobile users check the permissions for newly installed apps and revoke any that may be considered high-risk, such as Accessibility permissions.
The Bigger Picture
The Malware-as-a-Service model is making cybercrime increasingly accessible. With this model, prospective cybercriminals no longer need to be able to develop their own malware; they simply visit an underground forum and purchase someone else’s malicious code.
At the same time, Herodotus’ evasion techniques highlight the fact that organizations need to implement a layered approach to identity security. While behavioral biometrics are typically considered one of the most reliable methods of authentication, they alone are no longer strong enough to prevent these types of attack.
