A sophisticated banking trojan named Herodotus has emerged as a significant threat to Android users worldwide.
Operating as Malware-as-a-Service, this malicious application disguises itself as a legitimate tool to trick users into downloading and installing an APK file outside the official Play Store.
Once installed on a device, the trojan gains access to critical system permissions and can execute banking operations directly on behalf of the compromised user.
The threat represents a concerning evolution in mobile malware, particularly because it remains largely invisible to traditional antivirus solutions despite its obvious malicious intent.
The malware spreads primarily through SMS phishing campaigns, with attackers sending deceptive links that direct victims to fraudulent download pages.
Users unknowingly install the APK, granting Herodotus access to sensitive permissions including accessibility features.
Pradeo security analysts identified that the trojan then deploys overlay attacks by displaying fake screens on top of legitimate banking applications, enabling credential theft and session hijacking.
Detection Evasion: The Humanization Technique
Herodotus employs sophisticated evasion tactics specifically designed to bypass modern anti-fraud detection systems.
The malware “humanizes” its malicious actions through deliberate random delays, micro-movements, and realistic typing patterns.
This behavioral approach makes automated detection significantly more challenging.
The trojan captures both screen content and keystroke data, allowing attackers to monitor user activity in real time and perform transactions while the victim remains logged into their banking session.
Pradeo security analysts noted that when they searched for Herodotus samples in a leading antivirus provider’s signature database, the application triggered no alerts whatsoever.
This failure occurred despite the malware being easily identifiable through basic search engine queries. Traditional antivirus solutions typically rely on known signatures and previously observed behavioral patterns.
Herodotus circumvents these defenses because it operates through SMS phishing (an initial access vector), installs from unknown sources, and only triggers dangerous activities after receiving explicit permission approvals from the user.
Effective defense requires detecting multiple indicators of compromise working in sequence: suspicious SMS links, installations from untrusted sources, critical permission requests, and behavioral anomalies including screen overlays and simulated interactions.
Individually, these signals may appear harmless, but their combination reveals an active attack that conventional antivirus protection consistently misses.
Follow us on Google News, LinkedIn, and X to Get More Instant Updates, Set CSN as a Preferred Source in Google.
