New Android malware acts like a human to avoid detection

Update, October 29, 2025 (11:03 AM ET): Google has reached out to Android Authority concerning this report, and a spokesperson shares a comment:

Based on our current detection, no apps containing this malware are found on Google Play. Android users are automatically protected against known versions of this malware by Google Play Protect, which is on by default on Android devices with Google Play Services. Google Play Protect can warn users or block apps known to exhibit malicious behavior, even when those apps come from sources outside of Play.

Original article, October 29, 2025 (08:52 AM ET): Researchers at cybersecurity firm ThreatFabric have identified a new Android banking trojan, dubbed Herodotus, that takes deception a step further by mimicking human behavior during remote-control sessions to avoid detection. The malware can intercept SMS messages to capture 2FA codes, deploy overlay pages to steal login credentials, and abuse accessibility services to log on-screen activity. Attackers can then use this access to navigate banking apps and initiate fraudulent transactions.

Herodotus is already being spread through known Android malware channels and is built to take over a victim’s device. It employs common banking-trojan tactics, such as fake login screens, SMS interception, and abusive accessibility permissions, but introduces a new twist by attempting to mimic genuine user actions to remain undetected.

According to ThreatFabric (via The Record), the malware’s operators use delays of 0.3-3 seconds between individual keystrokes and mimic swipes or taps, making the automated session appear more like human interaction and less like a bot.

Campaigns linked to Herodotus have been spotted in Italy (where the malware masqueraded as an app called Banca Sicura) and in Brazil (posing as Modulo Seguranca Stone).

Once the malware gains a foothold via a side-loaded dropper or SMiShing link, it asks victims to enable accessibility services, then runs an overlay to hide its activities while carrying out credential harvesting or money transfers. The malware even reports installed apps to a command-and-control server, so attackers know exactly when a target opens a banking or wallet app and can then trigger the fake interface.

What sets Herodotus apart from most Android Trojans is this layering of human-style input behavior atop device takeover. While older Trojans often pasted text or clicked elements at machine speed, which made them easier to flag, Herodotus introduces random delays between inputs, making behavioral-biometrics systems less likely to pick it up. As such, ThreatFabric warns that fraud controls that focus solely on typing speed or input cadence may now find themselves out-matched.

Although the malware is currently in an early stage and its developers are already marketing it as Malware-as-a-Service (MaaS), the implications are serious for banks, wallet apps, and users alike. Fraud teams are being advised to go beyond simple behavioral flags and monitor deeper device-environment indicators.