Herodotus Malware Targeting Android Users Behaves Like A Human To Avoid Detection

by Aaron Leong — Tuesday, October 28, 2025, 10:05 AM EDT

Cybersecurity experts are sounding the alarm over a new Android Trojan dubbed Herodotus, which is designed to deliberately slow down its own malicious activity to mimic the casual, imperfect behavior of a human user. Such behavior allows the malware to slip past a generation of security systems built to flag more rapid, robotic actions of traditional bots.

herodotus announcement — *Herodotus malware thread (Click to enlarge)*

Detected by security firm Threat Fabric, Herodotus is a banking Trojan being advertised/sold on underground cybercrime forums. Similar to the Brokewell malware uncovered last year, Herodotus' ultimate goal is financial fraud, which it achieves by leveraging the Android accessibility services to create fake login overlays and steal credentials, as well as intercepting one-time passcodes (OTPs) via an SMS stealer. However, its true innovation lies in the subtle art of deception: the timing of its inputs.

Now, when a traditional Trojan gains access to a device and attempts to insert a victim's stolen banking credentials, it often bypasses the on-screen keyboard by using the device's clipboard or accessibility services to paste the text. This input method is instantaneous, which of course is a tell-tale sign of a machine operating at inhuman speed. Behavioral detection systems, particularly those at financial institutions, are specifically designed to look for this unnaturally fast input speed, flagging the transaction as suspicious.

herodotus delay1 — *Code adding random text input delay*

Herodotus, on the flip side, gets around this with a brilliant, if unsettling, measure: it introduces a randomized delay. Whenever the malware inserts credentials, it injects an unpredictable pause of between 0.3 and 3 seconds, which is enough to fool many basic detection systems that are expecting either an impossible burst of speed or a consistent, non-human pattern. The deliberate sluggishness is meant to suggest a real user, perhaps an elderly individual or someone who simply pauses while typing, is manually entering their login details.

Herodotus is reportedly distributed by enticing victims to side-load apps, often instigated through smishing messages that contain a link to a "dropper" application. Once installed and granted the elevated permissions it requires by tricking the user, it can deploy its full suite of capabilities.

According to Threat Fabric, the Herodotus developers appear to have incorporated one compiled module from Brokewell, thus implying that they're iterating on existing tools rather than possessing the full original source code. Nonetheless, the emergence of Herodotus means that the need for cybersecurity defenders with behavioral biometric models, i.e. the ability to distinguish between a genuine, slow-moving human and a machine that has been programmed to be expertly imperfect, is paramount more than ever.

Screenshot credits: Threat Fabric