When cybersecurity firm ThreatFabric first analyzed “Herodotus,” a newly discovered Android Trojan, researchers noticed something uncanny — the malware typed like a person. It introduced random pauses between keystrokes, mimicking human typing rhythm to avoid detection by anti-fraud systems that monitor machine-like patterns of interaction.
The Trojan, which has been spotted in active campaigns targeting users in Italy and Brazil, uses this behavior to perform full-scale device takeover (DTO) attacks — allowing cybercriminals to operate victims’ phones in real time, as if they were legitimate users.
The Rise of ‘Humanized’ Malware
According to ThreatFabric, Herodotus delays its input by 300 to 3,000 milliseconds, a subtle variation that mirrors how humans naturally type or tap. By creating these randomized intervals, the malware avoids triggering behavioral biometrics alarms used by banks and fintech apps.
“It’s an attempt to humanize fraud,” ThreatFabric said in its report. “Herodotus makes remote fraud look like a normal user session.”
This tactic builds on earlier malware such as Brokewell, from which Herodotus borrows elements like obfuscation methods and system persistence tools. Security analysts believe the Trojan is part of the growing malware-as-a-service (MaaS) ecosystem — an underground market where sophisticated attack kits are rented to criminal groups worldwide.
How Herodotus Operates
The Trojan is distributed through phishing and smishing campaigns, often disguised as legitimate apps such as Google Chrome. Once installed, it abuses Android’s accessibility services — a frequent target for malware — to overlay fake login screens, intercept SMS-based two-factor authentication (2FA) codes, and even capture the lock screen PIN or pattern.
Herodotus can stream the victim’s screen in real time, log keystrokes, and intercept push notifications. Its primary goal is to facilitate financial fraud by hijacking ongoing sessions inside banking or cryptocurrency apps, rather than merely stealing static credentials.
ThreatFabric identified overlay pages used by Herodotus to target financial organizations not just in Italy and Brazil, but also in the U.S., U.K., Turkey, and Poland, indicating a deliberate expansion into high-value markets.
The Next Phase of Fraud Automation
Unlike traditional Trojans, Herodotus’s innovation lies in its mimicry of human behavior. By consciously delaying its digital actions, the malware blends into the behavioral profile of genuine users — a capability that challenges the very premise of biometric-based security.
Its modular design, persistent execution, and global targeting strategy suggest it is still in active development, optimized for long-term infiltration rather than short-term data theft.
As banks increasingly rely on behavioral biometrics to detect fraud, Herodotus signals a disturbing shift: cybercrime is learning to behave humanly.
The malware’s success underscores an arms race between machine intelligence and digital defense — a race where, for now, the lines between imitation and identity continue to blur.
