Herodotus
Herodotus is an Android banking trojan and device-takeover (DTO) malware family observed in active campaigns targeting Italy and Brazil, with overlay templates indicating broader targeting of financial institutions in the United States, United Kingdom, Turkey, and Poland, as well as cryptocurrency wallets and exchanges. It is distributed primarily through SMS phishing/smishing and side-loaded dropper apps masquerading as legitimate applications such as Google Chrome, including lures such as “Banca Sicura” and “Modulo Seguranca Stone.” The malware abuses Android Accessibility Services to gain extensive control of infected devices, perform remote actions such as taps, swipes, text entry, app launches, and global navigation actions, and to support credential theft and fraudulent transaction approval in real time. Herodotus uses fake login overlays on banking and crypto apps, can steal SMS messages and one-time passcodes/2FA codes, capture screen content, obtain device PINs or unlock patterns, grant itself additional permissions, and install additional APKs. A distinguishing feature is its attempt to mimic human behavior by introducing randomized delays, typically 300 to 3000 milliseconds, during typing and other remote input actions to evade timing-based detection, behavioral biometrics, and anti-fraud systems. ThreatFabric reported that Herodotus is offered as malware-as-a-service (MaaS), remains under active development, and is advertised by an actor identified as K1R0. The malware is assessed as closely related to Brokewell, reusing some components and techniques and containing references such as "BRKWL_JAVA," though it is not described as a direct evolution. It has also been described as combining features associated with Brokewell and Hook. Reported infrastructure includes command-and-control communications over MQTT and subdomains under google-firebase[.]digital, including af45kfx.google-firebase[.]digital, g24j5jgkid.google-firebase[.]digital, and gj23j4jg.google-firebase[.]digital. Reported indicators include package name com.cd3.app and sample SHA-256 53ee40353e17d069b7b7783529edda968ad9ae25a0777f6a644b99551b412083.
Hunt this family in your stack
Mallory pivots from this family to the IOCs, detections, and named campaigns that touch your stack, and pages you when something new lands.
Recent activity
18 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.
Android banking trojan capable of mimicking human behavior to evade detection during remote device control.
Herodotus is an advanced Android banking trojan capable of mimicking human typing behaviors to evade detection and steal credentials.
Android banking trojan that evades detection by mimicking human behavior during remote-control operations on infected devices.
Android banking trojan strain reported to mimic human behavior to evade detection while enabling remote operation of an infected device.
The version that knows your environment.
Match every observed IP, domain, and hash against your live telemetry.
Named campaigns wielding this family, with evidence pinned to each claim.
CVEs this family uses for access and lateral movement.
YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.
Every documented technique, ranked by evidence weight.
Reddit, Mastodon, and CTI community discussion around this family.