A new Android malware strain, Herodotus, steals credentials, logs keystrokes, streams victims’ screens, and hijacks input – but with a twist: it mimics human typing by adding random delays between keystrokes to evade behavioral fraud detection systems.
The trojan, named after the ancient Greek Father of History – or Father of Lies – includes pieces of banking malware Brokewell along with original parts, and has been used in device takeover attacks in Italy and Brazil, according to Dutch firm ThreatFabric’s mobile threat intelligence team.
While the researchers haven’t seen Herodotus used in any other active campaigns, the threat hunters did obtain overlay pages that mimic legitimate banking and cryptocurrency apps used in the US, UK, Turkey, and Poland. These fake screens overlay the real log-in screen when a user visits a banking app, and this allows the criminals to steal victims’ credentials and financial details.
Plus, the developer behind Herodotus, who goes by “K1R0” on underground crime forums, is selling the trojan as a service as of September 7.
“Considering that the malware is still in active development state, we can expect Herodotus further evolving and used widely in global campaigns,” the mobile threat intel analysts said in a Tuesday report.
The malware infects users’ devices via side-loading, likely using an SMS phish with a malicious link that includes the dropper, the security researchers wrote in a Tuesday report. This dropper, they note, is also written by K1R0 and, so far, has only been seen distributing Herodotus.
After the dropper loads Herodotus, it urges the victim to open Android’s accessibility service settings page, which, once enabled, allows the attacker to read, click, and swipe the victim’s device screen.
Once it’s launched on a victim’s device, Herodotus acts like most other trojans, collecting a list of installed packages, sending it to the command-and-control server, and waiting for a list of which ones to target with credential-stealing overlays. It also logs keys, intercepts messages to intercept one-time passwords, and steals users’ security pins and fingerprints.
The thing that sets it apart from other Android malware is its ability to mimic human behavior during remote-control sessions. “In order to make the input look like it is typed in by an actual user, the text specified by the operator is split into chars, and they are separately set with random delays from each other,” the researchers note.
These delays range from 300 to 3,000 milliseconds (0.3 – 3 seconds), which look more like human typing speed, not machine speed. This helps the malware bypass behavioral detection tools that only measure input timings as opposed to using a more holistic view of individual user behavior.
As of the time of publication, Herodotus uses the same domain, google-firebase[.]digital, with seven different subdomains, which the researchers say include those belonging to the developer, which were used for testing the malware, plus some that other criminals likely used to target different regions.
In Italy, Herodotus used the application name “Banca Sicura” and connected to the subdomain “af45kfx.” In Brazil, it targeted users with an application named “Modulo Seguranca Stone,” and connected to the “g24j5jgkid” subdomain. ®
