Next-Gen Android Trojan Herodotus Mimics Human Typing to Bypass Behavioral Biometrics Anti-Fraud Systems
Ddos 
Image: ThreatFabric
Cybersecurity researchers at ThreatFabric have discovered a new Android banking Trojan dubbed Herodotus, a malware strain that combines features of known families like Brokewell and Hook while introducing a novel twist — the ability to mimic human typing behavior to evade behavioral biometric detection systems.
ThreatFabric’s investigation revealed that Herodotus is not a direct evolution of Brokewell, but rather a hybrid threat “stitched together with original parts.” The researchers describe it as “a modern Device-Takeover banking Trojan, designed to perform credential theft and remote control attacks while making first attempts to mimic human behavior and bypass behavior biometrics detection.”
Herodotus has already been observed in active campaigns targeting Italy and Brazil, distributed through side-loading and SMiShing (SMS phishing) techniques that lead users to install a malicious dropper. Once executed, the dropper installs the Trojan payload while disguising the process with a “block overlay” that “mimics a loading screen to hide the suspicious activity of granting all the necessary permissions.”
This overlay prevents victims from noticing that the malware is enabling Accessibility Services—a powerful Android permission abused by most modern banking Trojans for full device control.
What makes Herodotus stand out is its attempt to “humanize” its automation. ThreatFabric’s researchers discovered that unlike most banking Trojans, Herodotus introduces randomized typing delays during remote-control sessions to simulate real user interaction.
As described in the report, “Herodotus, unlike many other banking Trojans, is one of the first to attempt to humanise remote actions. In order to make the input look like it is typed in by an actual user, the text specified by the operator is split into chars, and they are separately set with random delays from each other.”
The malware randomizes keystroke timing between 300–3000 milliseconds, mirroring natural human typing cadence. This technique makes it harder for anti-fraud systems relying on behavioral biometrics or session heuristics to detect automation.
ThreatFabric cautions that “behavioural detection systems which have a rudimentary capability to measure input timings may produce erroneous, lower risk assessments, leading to the intended bypass.”
Herodotus offers its operators an extensive remote-control toolkit, allowing them to click elements on-screen, perform swipes, input text, and execute global actions such as “Back” or “Home.” These features enable criminals to simulate legitimate app usage, manually approve fraudulent transactions, and transfer money in real time.
To conceal these operations, the Trojan can display opaque overlays that block the user’s view while the attacker interacts with the device underneath. ThreatFabric notes, “Herodotus can display an overlay on top of the device UI. It will be opaque for victim, while being semi-transparent for the operator.”
The overlay text mimics legitimate banking dialogs, for example:
“PLEASE WAIT. The online bank is verifying the information you requested. Please wait a few moments… Verifying your credentials…”
These deceptive screens keep victims from noticing fraudulent transactions in progress.
Even though Herodotus remains in active development, its author — identified as “K1R0” — has already begun advertising the malware on underground forums as a Malware-as-a-Service offering. This means affiliates can rent access to the Trojan, widening its potential impact across regions.
ThreatFabric warns that the Herodotus ecosystem could expand rapidly, given the developer’s ongoing updates and connections to the Brokewell source code. The report found direct mentions of Brokewell inside Herodotus’ code, including the unique string ‘BRKWL_JAVA,’ confirming partial code reuse.
However, the integration is incomplete — the Brokewell module’s communication protocols differ, suggesting Herodotus’s author may be re-engineering parts of Brokewell’s framework for compatibility.
So far, ThreatFabric has tracked seven active Herodotus C2 subdomains, all under the domain google-firebase[.]digital, likely used by different operators.
- In Italy, the Trojan disguised itself as “Banca Sicura” (“Safe Bank”), connecting to the subdomain af45kfx.
- In Brazil, it appeared as “Modulo Seguranca Stone” — a fake security module mimicking the Stone payment platform — connecting to g24j5jgkid.
While current campaigns focus on Southern Europe and South America, ThreatFabric also obtained overlay templates targeting financial institutions in the United States, Turkey, the UK, Poland, and even cryptocurrency exchanges, suggesting a global expansion plan.
ThreatFabric concludes that Herodotus exemplifies the next generation of Device-Takeover Trojans, where fraud automation becomes indistinguishable from legitimate user activity.
Donate