434/68 Thursday, October 30, 2025
Researchers at ThreatFabric have revealed details of an Android banking trojan named Herodotus, used in campaigns targeting users in Italy and Brazil. The malware was marketed on underground forums from September 7, 2025, under a Malware-as-a-Service (MaaS) model and supports Android versions 9–16. Its developers borrowed techniques from earlier trojans such as Brokewell (code obfuscation and some structural similarities) but added new capabilities focused on Device Takeover (DTO) rather than merely credential theft.
Herodotus is distributed via fake apps impersonating Google Chrome (package com.cd3.app), with installation links delivered through SMS phishing and social-engineering lures. The malware abuses the Accessibility API to control the device UI: it displays overlay screens that spoof banking login pages, intercepts two-factor authentication (2FA) data, escalates privileges, captures PINs or lock-pattern inputs, installs APKs remotely, and records screenshots and webcam images.
A distinguishing feature of Herodotus is its ability to simulate human behavior – it injects randomized typing delays between 300–3,000 milliseconds to avoid detection systems that flag robotic typing speeds. ThreatFabric notes that Herodotus is under active development and is expanding its targets to include financial institutions in the United States, the United Kingdom, Turkey, Poland, as well as crypto wallets and cryptocurrency exchange platforms.
Source https://thehackernews.com/2025/10/new-android-trojan-herodotus-outsmarts.html
