A new Android banking Trojan called Herodotus has arrived on the mobile threat landscape with a deceptively simple trick: instead of blasting keystrokes and commands into a victim device at machine speed, it deliberately slows down and randomizes input to mimic human typing. The result is a malware family built specifically to confuse timing-based fraud detection and behavioural-biometric engines that many banks and anti-fraud vendors now rely on to spot automated attacks. Security researchers say Herodotus is already active in targeted campaigns and is even being advertised as Malware-as-a-Service (MaaS), making it worryingly accessible to a wide range of criminals.

What makes Herodotus different?

Most modern Android banking Trojans use Accessibility Services and remote-control techniques to take over an infected phone, stream the screen to an operator, inject input, and harvest credentials or perform fraudulent transactions. Herodotus follows that well-worn playbook — but with a twist: it injects randomized pauses between synthetic keystrokes and touch events, deliberately imitating the natural variance you’d expect from a real user typing on a smartphone. That makes the automated input look far more like human interaction and therefore less likely to trigger heuristics that flag robotic behaviour.

ThreatFabric, the mobile-threat intelligence firm that first documented the family, reported that Herodotus inserts delays in the order of several hundred to a few thousand milliseconds between individual input events — timing patterns that overlap with real human cadence. In plain terms: where older malware would type “password123” as a rapid burst of machine events, Herodotus will pause, hesitate, and vary the intervals so the final input looks like something typed by a person. 

How it spreads and takes hold

Researchers observed Herodotus in active campaigns targeting at least Italy and Brazil, with distribution methods that include side-loading and SMiShing (SMS phishing links). Victims are lured to install a dropper that subsequently requests powerful permissions and enables Accessibility Services — the same capability abused by many banking Trojans to read the screen, interact with UI elements, and inject input. To disguise these permission requests, the dropper often displays a fake loading or configuration overlay so victims are less likely to notice the background activity.

Once installed and granted Accessibility privileges, Herodotus is capable of typical device takeover behaviour: obtaining credentials, logging keystrokes, streaming the screen to an operator, and remotely controlling apps to perform fraudulent operations. But because it intentionally randomises input timing, it can execute those operations while reducing the chance that an anti-fraud engine which looks for mechanical or perfectly regular input patterns will raise an alarm. 

Links to existing malware families — and MaaS

ThreatFabric’s analysis shows that Herodotus borrows techniques and code patterns from other mobile malware families — notably Brokewell — while stitching in original components. That suggests Herodotus is not an isolated experiment but a pragmatic, modular toolset that can be iterated and improved quickly. Researchers also found evidence the author (or authors) had advertised Herodotus on underground forums as a MaaS offering, potentially lowering the barrier to entry for less-skilled criminals. 

The MaaS model matters because it turns sophisticated techniques into commodity services: an operator doesn’t need deep reverse-engineering skills to run high-end fraud campaigns if the malware and control panels are available for rent. Combined with distribution through social engineering (smishing, side-load distribution pages), that makes Herodotus a threat capable of scaling quickly. 

Why behaviour-based anti-fraud systems are vulnerable

Banks and payment providers have increasingly adopted behavioural biometrics — systems that profile how a user types, swipes, scrolls, and interacts with apps — to detect anomalies that would indicate fraud. These systems are a valuable second line of defence beyond passwords and device fingerprints, because they can catch session-takeover attempts even if the attacker has credentials and a compromised device. But Herodotus exposes a blind spot: many behaviour-based engines focus heavily on timing signals (keystroke cadence, inter-keystroke latency, typing speed), and if malware can emulate those timing signals convincingly, it can lower its risk score and proceed undetected. 

ThreatFabric warns that simpler behavioural detection models that only compute a single metric for input timing are especially susceptible: those systems may see the human-like cadence injected by Herodotus and mark the session as low risk. More advanced systems that model a user’s full behavioural profile — including device posture, sensor noise, contextual factors like screen orientation, and long-term behavioural baselines — will fare better, but even those systems must be tuned carefully and combined with other signals to remain effective. 

Practical implications for financial institutions

The arrival of Herodotus is a reminder that attackers constantly adapt to defensive advances. For banks and fintechs, the immediate takeaways are clear:

• Don’t rely on single-signal behavioural checks. Timing or keystroke cadence alone is an attractive but fragile heuristic. Fraud engines should blend behavioural biometrics with device integrity proofs, network telemetry, geolocation, and anomaly detection across sessions. 

• Harden onboarding and permission flows. Device-takeover malware often depends on tricking users into granting Accessibility privileges. Stronger in-app education, permission hardening, and alerting when Accessibility services are active can reduce successful installations. 

• Monitor for MaaS-style indicators. Campaigns that use common dropper infrastructure, shared C2 patterns, or forum-announced tools can be detected through threat intelligence feeds quickly. Sharing IOC (indicator of compromise) details across institutions speeds collective detection and response. 

What users should do

End users remain the first line of defense. Herodotus spreads through social engineering and sideloading, so basic hygiene matters:

• Install apps only from official stores. Sideloaded APKs are a common vector for mobile malware. Avoid installing apps from unknown links or SMS offers. 

• Be wary of SMS links and unexpected messages. SMiShing remains effective: if an SMS urges you to install an app or follow a link, verify the sender through another channel. 

• Watch for unusual permission prompts. If an app suddenly asks for Accessibility or device admin permissions and you don’t understand why, deny the request and uninstall the app. Legitimate apps rarely need full Accessibility access unless they’re assistive tools. 

Detection: what defenders can look for

Security teams and endpoint vendors should update detection signatures and behavioural rules to look for Herodotus-style patterns, but not only the “typing like a human” behaviour — which is precisely what the malware is trying to fake. Useful signals include:

• The presence of dropper overlays that try to mask permission grants (fake loading screens). These overlays are atypical in legitimate apps and can be flagged. 

• Unusual Accessibility activations that coincide with screen-streaming or unknown background services. Monitoring which apps toggle Accessibility and when is high-value telemetry. 

• Shared developer or C2 infrastructure with known families (e.g., Brokewell hooks), which can indicate Herodotus or related toolkits. Threat intelligence sharing helps here. 

Importantly, defenders should treat the human-like input as a red flag when seen in conjunction with other suspicious indicators — because the very existence of “humanised automation” is itself suspicious.

Longer-term responses: threat modelling and layered defence

Herodotus exemplifies a class of attacks that aim to blend sophisticated automation with plausible human behaviour. Defenders should adopt a layered approach:

1. Device attestation and hardware-backed identity: Use platform attestation techniques (safety net, Play Integrity, hardware keys) to ensure the device environment isn’t compromised. Integrate attestation outcomes into real-time risk scoring. 

2. Multiplexed risk signals: Combine behavioural biometrics with device telemetry, network context (e.g., sudden VPNs or anonymizing proxies), geolocation anomalies, and transaction risk rules. No single signal should be decisive.

3. Continuous monitoring and rapid revocation: Treat device compromise as an ongoing risk — keep sessions short, require re-authentication for sensitive flows, and use automated session revocation when suspicious patterns emerge. 

4. Threat intelligence collaboration: Share IOCs, samples, and indicators of campaign infrastructure across banks, vendors, and national CERTs to reduce the window of exposure. Herodotus’s MaaS marketing means many institutions could be hit by similar patterns if intelligence isn’t shared. 

What researchers found in the code: a technical snapshot

Reverse engineers who inspected Herodotus found code reuse and modular design patterns: encrypted strings handled in native code, obfuscation to complicate static analysis, and routines designed to randomise input timing between roughly 300ms and 3000ms — deliberately chosen to overlap with plausible human delays. The dropper’s behaviour to mimic loading screens and stealthily enable Accessibility Services was also documented. These design choices point to a threat actor who understands both the defensive landscape and the points of trust that institutions rely on.

Final thoughts: an arms race in user behaviour

Herodotus doesn’t invent new capabilities so much as refine the art of deception: it weaponises nuance — tiny timing variations and carefully obscured permission flows — to make fraudulent sessions look ordinary. That’s a sobering reminder that defenders must continually evaluate which user behaviours are truly reliable signals of authenticity and which can be mimicked. Behavioural biometrics remain a valuable tool, but they are not a silver bullet. The most resilient defences will be those that combine strong device attestation, layered behavioural signals, vigilant telemetry, and user education to make the cost and complexity of successful fraud higher than the payoff.