A new Android malware family called Herodotus uses randomized delays in its input routines to mimic human behaviour and evade timing-based detection, Threat Fabric said. The malware is offered as a malware-as-a-service platform to financially motivated criminals and is believed to be operated by the same actors behind the Brokewell family. Clients are reportedly deploying the platform against users in Italy and Brazil via SMS phishing messages.
Infection begins with a malicious SMS that links to a custom dropper which attempts to bypass Accessibility permission restrictions introduced in Android 13 and later. The dropper opens Accessibility settings, prompts the user to enable the service, and displays an overlay with a fake loading screen while hiding the permission-granting steps in the background, allowing the payload to gain elevated interaction rights.
With Accessibility access, Herodotus can interact with the Android user interface to tap specific coordinates, swipe, navigate back and enter text either via clipboard paste or simulated typing. To make automated typing less conspicuous to behaviour-only anti-fraud systems, the malware includes a ‘humanizer’ that inserts random delays of 0.3 to 3 seconds between input events, a timing technique aligned with human input patterns.
Threat Fabric said delays have been used in Android malware to allow UI responses but described Herodotus’ randomized timing as a novel evasion technique. The platform also provides operators with an admin panel offering custom SMS text, overlay pages that mimic banking and crypto apps to harvest credentials, opaque overlays to conceal fraud, an SMS stealer to intercept two-factor codes and capabilities to capture screen content.
The security firm reported that activity tied to multiple threat actors was observed, citing seven distinct subdomains as evidence of early adoption in the wild. To reduce risk, users should avoid installing APKs from outside Google Play unless the publisher is trusted, ensure Play Protect is enabled, and scrutinize or revoke risky permissions such as Accessibility for newly installed apps.