New Android malware mimics human typing to evade detection, steal money

Researchers have discovered a new Android banking malware called Herodotus that evades detection by mimicking human behavior when remotely controlling infected devices.

The malware — developed by a little-known hacker who goes by the name K1R0 — can take full control of a victim’s phone to steal money from banking apps and online accounts. According to a report released Tuesday by Dutch cybersecurity firm ThreatFabric, the developer has advertised plans to sell the tool as a service on underground forums.

Researchers said they have observed active campaigns using the malware in Italy and Brazil. In Italy, Herodotus disguised itself as an app called Banca Sicura (“Safe Bank”), while in Brazil it posed as Modulo Seguranca Stone, likely pretending to be a security module for a local payment provider.

ThreatFabric also found fake overlay pages that Herodotus can display on top of legitimate apps used by banks and cryptocurrency platforms in the U.S., U.K., Turkey, Poland and other countries.

“Considering that the malware is still in an active development stage, we can expect Herodotus to further evolve and be used widely in global campaigns,” the company said.

Herodotus works like many modern Android banking trojans. Operators distribute it through SMS messages that trick users into downloading a malicious installer. Once installed, the malware waits for a targeted app to open and then overlays a fake screen that mimics the real banking or payment interface to steal credentials. It also intercepts incoming SMS messages to capture one-time passcodes and exploits Android’s accessibility features to read what’s shown on the device screen.

What makes Herodotus unusual, ThreatFabric said, is that it tries to “humanize” the actions attackers perform during remote control. Instead of pasting account or transaction details into form fields all at once — a behavior that can easily be flagged as automated — the malware types each character separately with random pauses of about 0.3 to 3 seconds between keystrokes, imitating how a real person would type.

ThreatFabric warned that the rise of mobile malware like Herodotus poses new challenges for banks and payment providers. Fraud controls that rely mainly on factors such as interaction tempo and keystroke cadence can still detect suspicious activity, but it’s most effective when paired with other security measures that monitor not only user behavior but also the device environment to identify threats like Herodotus, the company added.