Herodotus is a newly discovered Android malware that is actively developed and offered as malware-as-a-service (MaaS). This trojan uses deceptive techniques to trick users and security systems to evade detection and ensure persistence. Learn how Herodotus malware can infect your device and how to stay safe.
Herodotus is built from scratch, but incorporates functions of the notorious Brokewell malware on top of its own sophisticated tactics. It’s mainly distributed through SMiShing and malicious web pages that prompt you to sideload the app.
Once installed, it immediately urges you to enable the Accessibility Service and takes you directly to the settings. As soon as you enable the Accessibility Service, it shows a fake overlay reading “loading” or “verifying”. Behind the overlay, it performs all the malicious acts, with the main goal of emptying bank accounts.
First, it scans the system to learn about all the apps installed and features enabled, and sends the information to the C2 server. Afterward, it receives custom instructions to open apps, intercept 2FA SMS, fill fields, and perform actions using taps and swipes.
Interestingly, it also enters text in fields using random 0.3 to 3 seconds pauses to mimic human typing. It does this to evade apps that use behavioral-detection input fields or security apps that track input behavior. Since it’s available as a malware-as-a-service, anyone can buy and use it. In fact, a total of 7 separate executors of this malware have already been recorded.
Preventing the entry of this malware should be your first priority. Being a banking trojan, its main entry method is to convince you to install it by acting as an important app. You should be extremely careful about links in SMS or browser prompts that ask you to download an app. It could be a security app or even a prompt to update the browser.
No official sources will ask you to sideload an app, and neither do updates need any kind of sideloading. Always download apps from the Google Play Store or other reputable stores. This is especially important if it’s an unsolicited request out of nowhere.
If you do end up installing such an app, the request to enable the dangerous Accessibility Service is a clear red flag to back down. This service allows the app to view screen contents and interact with them, letting hackers take complete control.
You should also ensure Play Protect is enabled in the Google Play Store, as it will automatically detect such malicious apps and disable them or prompt you to do so. In the Play Store, tap on Play Protect in the main menu and ensure it’s enabled.
Its elevated access and ability to prevent behavioral tracking will make it hard to catch for most security software. If you think your Android phone is infected, you can look for common signs associated with Herodotus malware attacks. Below, we are listing the clear red flags:
- Unexpected Loading or Verifying Overlays: this is the most obvious behavior of most trojans. They show a fake overlay to do their job in the back without the user finding out. If you see an unexpected full-screen prompt asking you to wait, then it’s a strong sign. This is especially concerning when it happens when you open a sensitive app, like a banking app.
- Unfamiliar Apps with Accessibility Permissions: only the most trustworthy apps should have accessibility permissions. Go to Settings → Accessibility → Downloaded Apps to ensure there are no unfamiliar apps listed.
- Unusual SMS Activity: Herodotus malware can also intercept 2FA SMS. If you start receiving 2FA SMS or there are multiple 2FA SMS in your inbox without your knowledge, then your device might be infected.
- A Spike in Resource Usage: to control the phone, it runs many jobs that consume phone resources like battery or network. If you notice your phone suddenly slowing down or battery draining too fast, go to Settings → Battery and see if an unknown app is draining too much battery.
Once confirmed that your phone is infected, immediately put it in Airplane mode and follow these steps:
Uninstalling the malicious app is your priority to avoid further damage. However, it probably won’t be easy with the app having access to elevated permissions. If the usual uninstallation method doesn’t work, go to Accessibility settings like we did above and remove its access.
You should also go to Settings → Privacy Protection → Special Permissions. Here, make sure the app doesn’t have Device Admin or Display over other apps permissions. You can also go into Android Safe Mode and delete the app from there.
From another clean device, reset the passwords of accounts used on the infected device, especially bank accounts. If supported, use an authenticator app for 2FA and also revoke all active sessions using the account security page of the services. If you find any suspicious fund transfers, notify your bank immediately.
Once the infected app is deleted, you should run a security scan to make sure no backdoors or malicious apps are left. First, open Play Protect in the Google Play Store as we did above, and run a scan. Afterward, download a reputable antivirus like Avast Antivirus & Security to run a full system scan.
To guarantee the removal of Herodotus malware, you can also back up your data and factory reset your phone.
This and many other malware threats can be avoided by downloading apps only from the Google Play Store and not side-loading. However, even apps on the Play Store can be infected, so you should enable all Android security features for the best protection.
