What's Happening?
A new Android banking Trojan, named Herodotus, has been identified by cybersecurity firm ThreatFabric. This malware is designed to mimic human behavior, such as introducing random keystroke delays, to evade
detection by security systems. Herodotus employs various device-takeover tactics, including the abuse of accessibility services, overlay attacks, and SMS interception, to capture two-factor authentication codes and steal login credentials. The malware is being marketed as Malware-as-a-Service (MaaS) and is already spreading through known Android malware channels. It has been spotted in campaigns in Italy and Brazil, masquerading as legitimate apps. Google has stated that no apps containing this malware have been found on Google Play, and Android users are protected by Google Play Protect.
Why It's Important?
The emergence of Herodotus represents a significant threat to banking security, as it challenges existing fraud detection systems that rely on input rhythm or speed. By mimicking human behavior, the malware can bypass these systems, making it harder to detect and prevent fraudulent transactions. This development poses a risk to banks, wallet apps, and users, potentially leading to financial losses and compromised personal information. The situation underscores the need for enhanced security measures that go beyond simple behavioral flags and focus on deeper device-environment indicators. As the malware is marketed as MaaS, it could lead to a wider distribution and increased attacks on financial institutions and their customers.
What's Next?
Security teams are advised to implement more sophisticated monitoring systems that can detect deeper device-environment indicators to counteract the threat posed by Herodotus. Users are encouraged to avoid installing apps from outside the Google Play Store, refrain from clicking on suspicious links, and keep their phone's security features enabled. Regular scans using Google Play Protect are recommended to ensure device safety. As the malware is still in its early stages, ongoing vigilance and updates from cybersecurity firms and Google will be crucial in mitigating its impact.
