A new and highly sophisticated Android banking trojan named "Herodotus" has been discovered in active campaigns. This malware is a significant step up from typical credential-stealing bugs, as it’s designed to outsmart the very anti-fraud systems built to protect you. Its main trick? It mimics human behavior to appear less like a bot.

Security researchers at ThreatFabric, who first detailed the malware, warn that it's being sold as a Malware-as-a-Service (MaaS) package, allowing it to be easily used by many different criminal groups. It primarily spreads through SMS phishing (SMiShing) and social engineering, tricking users into side-loading dropper apps that masquerade as legitimate software, such as a Google Chrome update.

Once installed, Herodotus abuses Android's Accessibility Services to gain powerful control over the infected device. It can grant itself permissions, intercept and steal 2FA codes from SMS, and use overlay screens to steal credentials. But its most dangerous feature is its ability to "humanize" fraud. When conducting a remote-control attack, the malware can introduce random delays as it types text, simulating the natural, imperfect keystroke patterns of a real person.

This behavior is a direct assault on modern anti-fraud systems, many of which rely on behavioral biometrics—like the speed and timing of your typing—to differentiate a legitimate user from an automated bot. By defeating this check, Herodotus can perform a device takeover (DTO) attack, accessing a user's bank account and conducting fraudulent transactions in a way that looks completely legitimate to the bank's security systems.

The malware is currently targeting users in Italy and Brazil, but researchers found overlay pages for financial institutions in the U.S., Turkey, the U.K., and Poland. This indicates the operators are actively planning to expand their operations. For all Android users, this serves as a critical reminder to never install applications from untrusted sources outside of the official Google Play Store and to be extremely skeptical of any unexpected text messages urging you to download an update.