Security researchers at Threat Fabric have identified a new Android malware called Herodotus that mimics human typing to evade detection. This malware employs a 'humanizer' to introduce random delays between text inputs, imitating human behavior and confounding behavior-only anti-fraud systems.
Distribution and Methods
Herodotus is spread through SMS phishing, known as smishing. Victims receive links leading to a custom dropper that installs the malware's primary payload. This dropper attempts to circumvent Android Accessibility permission restrictions by presenting a fake loading screen while the malware installs in the background.
Market and Geography
The Herodotus malware is being offered as malware-as-a-service (MaaS) and is actively used by multiple threat actors. Infections have been documented in both Italy and Brazil, highlighting the malware's international reach.
Security Recommendations
Researchers recommend Android users enhance security by downloading applications only from official app stores like Google Play, enabling Play Protect, and revoking risky permissions on newly installed apps. Implementing these measures can mitigate the impact of threats like Herodotus.
