New Android Trojan 'Herodotus' Uses Human-Like Behavior to Trick Security Systems and Perform Financial Fraud

A new cybersecurity threat has been identified, 'Herodotus', an Android malware, was detected by the security firm ThreatFabric. The distinctive feature of this malware is its ability to imitate human behaviour during an attack. Herodotus types and clicks with random pauses, similar to a real person, rather than sending commands instantaneously like a machine. This technique enables it to conceal itself from present anti-fraud systems that detect robotic activity.

How Cyber Threats Are Starting to Act Like Humans

Herodotus was discovered by ThreatFabric researchers to delay each keystroke by 300 to 3,000 milliseconds, thereby accurately replicating the speed of human typing. This subtle delay assists the malware in evading detection by behavioural biometrics, which are employed by banks and fintech applications to identify suspicious activity. According to experts, this approach is a means of "humanize fraud," as it presents online frauds as entirely ordinary.

Herodotus also incorporates features from malware, such as Brokewell, such as data-hiding and persistence tools that enable it to operate in the background. Analysts contend that Herodotus is a component of the expanding malware-as-a-service (MaaS) market, in which cybercriminals rent complex hacking tools to others.

How Herodotus Attacks Users

This Trojan spreads through phishing and smishing campaigns, fake links or text messages that trick users into downloading infected apps, often disguised as trusted ones like Google Chrome. Once installed, Herodotus abuses Android’s accessibility services to take full control of the device. It can show fake login screens, intercept two-factor authentication (2FA) codes, record keystrokes, and even capture your screen or unlock pattern. Its main target is financial fraud, especially inside banking and cryptocurrency apps. Instead of stealing passwords, it hijacks live sessions, letting hackers act as real users in real time.

Global Expansion and Growing Risk

Although the Trojan was initially observed in Italy and Brazil, researchers have now detected indications of activity in the United States, the United Kingdom, Turkey, and Poland. This demonstrates that Herodotus is still in the process of active development and is expanding globally. Its sophisticated design implies that it is intended for long-term infiltration and large-scale fraud, rather than for rapid attacks.

Herodotus represents a dangerous shift in cybersecurity threats, malware that doesn’t just copy humans but behaves like one. As banks increasingly depend on behavioral biometrics, attackers are learning to trick these systems with more realistic, human-like patterns. Herodotus shows how cyber threats are evolving to act more like humans.It uses artificial intelligence to imitate real user behavior and bypass security systems. This marks a new phase where AI-driven malware challenges even the most advanced cybersecurity defenses.

This article is based on information from The 420