Advanced Android Trojan Evades Fraud Checks by Acting Human

A new Android banking trojan called Herodotus is gaining attention for its ability to imitate human behavior during fraud attempts. It is currently being used in active campaigns in Italy and Brazil, with indicators that it will soon expand into additional regions including the U.S., U.K., Turkey, Poland, and several crypto platforms.

Unlike older malware that simply steals usernames and passwords, Herodotus is built for live device takeover. Once installed, criminals can remotely control the victim’s phone, open banking apps, and approve transfers in real time, as if they were physically using the device.

This makes fraud harder to detect because the attack no longer relies only on stolen credentials—everything occurs within an active user session on the victim’s own device, which financial systems often treat as “trusted.”

Fig 1. Herodotus features listed on an underground forum. (Source: ThreatFabric)

How victims are infected and how access is obtained

Herodotus typically reaches victims through SMS phishing (smishing), where a text message pretends to come from a bank or security provider and urges the user to install a “security update” or app.

The downloaded file is a dropper app that looks legitimate—sometimes disguised as Chrome or a banking safety tool—but its only purpose is to install the malware payload.

Fig 2. The trojan disguised as the Chrome app.(Source: ThreatFabric)

Once opened, the app pushes the user to enable Android Accessibility Services, which grants wide control over the device. With this access, attackers can read the screen, press buttons, capture taps, and simulate user actions.

The trojan can display fake login screens on top of legitimate banking apps to steal credentials. It can also intercept text messages to steal two-factor codes and read everything visible on the display.

After gaining control, Herodotus often shows a blocking “loading” overlay to hide what it is doing in the background. While the victim sees what looks like system processing, the attacker may already be transferring funds or setting up future fraud.

Because everything appears to happen on the user’s own device, banks have fewer signals to warn them that fraud is in progress.

What makes Herodotus more advanced and harder to spot

What separates Herodotus from many other Android trojans is its attempt to look human while committing fraud. Instead of injecting text instantly, it types character-by-character with random delays ranging from fractions of a second up to several seconds.

These subtle pauses copy real human typing patterns, helping the malware slip past anti-fraud systems that monitor the speed of input as a sign of automation. This makes detection harder even for newer preventive tools.

The malware is also being sold as Malware-as-a-Service (MaaS), which means cybercriminals no longer need to build malware themselves—they can simply rent and deploy it. This increases the number of threat actors who can use it and helps accelerate its spread.

For everyday users, the best protection is prevention. Avoid installing apps delivered by links in text messages, even if they appear urgent or official. Only install apps from trusted app stores, and be very cautious when any app requests Accessibility permissions without a clear purpose.

If your device suddenly displays unfamiliar “loading” screens, asks for repeated permissions, or your banking app behaves oddly, it may already be compromised.