Hackers Target Android User’s Bank Accounts As New Malware Emulates Human Habits To Evade Detection: ThreatFabric

Cybersecurity researchers say a new piece of malware infecting Android devices mimics human tendencies to steal banking credentials and initiate account takeovers.

ThreatFabric analysts say the Herodotus trojan is designed to mirror human behavior and bypass behavioral biometric detection using code from a previously identified malware family.

The malicious software emulates human habits by purposefully delaying and splitting text input into individual characters to evade bot and automation detection tools and behavioral biometrics.

“Delay specified is in the range of 300 – 3000 milliseconds (0.3 – 3 seconds). Such a randomisation of delay between text input events does align with how a user would input text. By consciously delaying the input by random intervals, actors are likely trying to avoid being detected by behavior-only anti-fraud solutions spotting the machine-like speed of text input…

It is under active development, borrows techniques long associated with the Brokewell banking Trojan, and appears purpose-built to persist inside live sessions rather than simply steal static credentials and focus on account takeover.”

Researchers say they are still investigating how the malware is distributed, believing it may involving SMiShing campaigns, which target individuals by sending text messages that contain a malicious link.

Herodotus also manipulates device functionality by exploiting Android’s Accessibility Services while overlaying screens with fake pages to steal banking credentials.

ThreatFabric analysts say they spotted Herodotus in active campaigns in Brazil and Italy involving apps named Banca Sicura and Modulo Seguranca Stone. While there are no active campaigns outside the two countries, researchers note that overlay pages used by Herodotus were seen targeting crypto wallets and exchanges as well as financial firms in the US, Turkey, the UK and Poland.

“Considering that the malware is still in an active development state, we can expect Herodotus further evolving and used widely in global campaigns.”