Herodotus is a sophisticated Android banking Trojan designed to conduct device takeover (DTO) attacks by abusing accessibility services on Android devices running versions 9 through 16. It is distributed primarily via dropper apps masquerading as legitimate applications like Google Chrome (package name "com.cd3.app") through SMS phishing and social engineering campaigns. Once installed, Herodotus leverages accessibility features to interact with the device screen, display opaque overlays to hide malicious activity, and present fake login screens atop legitimate financial apps to steal credentials. It also intercepts two-factor authentication (2FA) codes sent via SMS, captures screen content, extracts lockscreen PINs or patterns, and can install additional malicious APKs remotely. A key innovation of Herodotus is its ability to mimic human typing behavior by introducing randomized delays between 300 and 3000 milliseconds when inputting text, thereby evading behavior biometric anti-fraud systems that detect machine-like input speeds. This humanization tactic helps the malware avoid detection by timing-based security solutions. Herodotus shares obfuscation techniques and code references with the Brokewell banking Trojan but is not a direct evolution; it appears to combine effective elements from Brokewell with new features focused on persistence within live sessions rather than merely stealing static credentials. The malware is offered as malware-as-a-service (MaaS) on underground forums since September 2025, facilitating wider distribution. Threat actors behind Herodotus have expanded targeting beyond Italy and Brazil to include financial institutions and cryptocurrency platforms in the U.S., Turkey, the U.K., and Poland, indicating an intent to broaden their operational scope. The Trojan’s use of accessibility abuse, overlay attacks, SMS interception, and human-like input delays makes it a formidable threat to Android users, particularly those using banking and cryptocurrency apps.

For European organizations, Herodotus poses a significant threat to financial institutions, cryptocurrency exchanges, and their customers. The Trojan’s ability to bypass behavior biometric anti-fraud systems by mimicking human input increases the likelihood of successful device takeover and fraudulent transactions. This can lead to unauthorized access to sensitive financial accounts, theft of funds, and compromise of two-factor authentication mechanisms, undermining multi-factor security controls. The malware’s persistence within live sessions means that attackers can maintain long-term access, increasing the risk of extensive data theft and fraud. Financial institutions may face reputational damage, regulatory penalties under GDPR for failing to protect customer data, and increased operational costs due to fraud remediation. The targeting of multiple European countries, including Italy, the U.K., and Poland, suggests that organizations in these regions are at elevated risk. Additionally, the malware’s distribution via social engineering and SMS phishing campaigns increases the attack surface, especially for users with limited security awareness. The threat to cryptocurrency wallets and exchanges also raises concerns for European fintech sectors and digital asset holders. Overall, the Trojan’s advanced evasion and persistence capabilities could lead to substantial financial losses and erosion of trust in digital banking services across Europe.

European organizations should implement multi-layered defenses tailored to combat Herodotus’s advanced tactics. First, enhance mobile device management (MDM) policies to restrict or monitor the use of accessibility services, limiting their abuse by malware. Deploy mobile threat defense (MTD) solutions capable of detecting overlay attacks, suspicious accessibility usage, and anomalous input patterns. Educate users on the risks of SMS phishing and social engineering, emphasizing caution with unsolicited links and app installations. Financial institutions should implement behavioral analytics that consider randomized input delays and incorporate additional signals beyond timing to detect fraud. Encourage customers to use hardware-based or app-based 2FA methods instead of SMS-based codes, which Herodotus can intercept. Regularly update Android devices and apps to the latest versions to reduce vulnerabilities. Monitor underground forums and threat intelligence feeds for early indicators of Herodotus campaigns. Finally, conduct targeted phishing simulations and awareness campaigns in high-risk countries to reduce successful infection rates. Incident response teams should prepare to detect and remediate device takeover scenarios swiftly, including revoking compromised credentials and enforcing session terminations.