ThreatFabric exposes Herodotus, an Android banking trojan that mimics human taps to evade detection, steals logins and 2FA via overlays, targeting Italy.
© RusPhotoBank
Researchers at ThreatFabric have identified a new Android banking trojan dubbed Herodotus. The malware leans on an unusual tactic: it imitates real user behavior, inserting random pauses between taps and mimicking swipes and touches so detection systems are more likely to treat its activity as human.
Herodotus still relies on the familiar playbook of banking trojans: spoofed login screens, interception of 2FA SMS codes, and abuse of accessibility permissions. It also obscures its actions with overlays, keeps an eye on which apps are running, and reports that list to its command server to trigger a fake interface at the right moment and steal data. Campaigns using the trojan have been recorded in Italy (posing as Banca Sicura) and Brazil (as Modulo Seguranca Stone).
What sets Herodotus apart is that its automated interactions look convincingly human, complicating detection for tools that monitor input speed and rhythm. Experts caution that routine defenses may fall short. The practical advice remains unchanged: avoid installing apps from untrusted sources, steer clear of suspicious links, and rely on Android’s built-in protections, including Google Play Protect. It’s a telling sign of where the cat-and-mouse game is headed: even basic gestures can be forged well enough to pass for the real thing, which makes disciplined user habits and platform-level safeguards all the more important.