New Android Malware Mimics Human Behavior to Evade Detection

Oct. 28, 2025, 7:57 p.m.

Description

A new Android malware called Herodotus has been discovered, designed to perform device takeover while mimicking human behavior to bypass biometric detection. Active campaigns have been observed in Italy and Brazil. Herodotus is being offered as Malware-as-a-Service and shows links to the previously known Brokewell malware. It uses side-loading for distribution and employs various techniques to steal credentials and perform remote device control. A unique feature is its attempt to humanize remote actions by randomizing delays between text inputs. The malware targets financial organizations and crypto wallets, with potential for global expansion. Its development highlights the growing threat of Device-Takeover banking Trojans and the need for advanced, layered security approaches.

External References

https://www.threatfabric.com/blogs/new-android-malware-herodotus-mimics-human-behaviour-to-evade-detection
https://otx.alienvault.com/pulse/69010a6d2cf6e435ac05b202
Tags
android
credential theft
malware-as-a-service
banking trojan
device takeover
hook
mqtt
remote control
2025-10-28
octo
behavior mimicry
herodotus
brokewell

Date

  • Created: Oct. 28, 2025, 6:24 p.m.
  • Published: Oct. 28, 2025, 6:24 p.m.
  • Modified: Oct. 28, 2025, 7:57 p.m.

Indicators

  • 53ee40353e17d069b7b7783529edda968ad9ae25a0777f6a644b99551b412083
Download all indicators here!

Attack Patterns

  • K1R0

Additional Informations

  • Finance
  • gj23j4jg.google-firebase.digital
  • google-firebase.digital
  • Poland
  • Italy
  • United Kingdom of Great Britain and Northern Ireland
  • Brazil
  • United States of America