Analysis

A new Android banking trojan, Herodotus, has been identified in active campaigns targeting Italy, Brazil, and potentially expanding to the U.S., U.K., Turkey, and Poland, as well as cryptocurrency platforms. This malware, advertised via a malware-as-a-service (MaaS) model since September 2025, employs sophisticated device takeover (DTO) techniques, mimicking human behavior with random delays (300-3000ms) to bypass biometric detection and persist in live sessions. This represents a significant evolution in mobile malware capabilities, aiming to evade timing-based anti-fraud solutions. Herodotus leverages Android accessibility services to conduct credential theft, intercept 2FA codes, and display bogus login screens over financial apps. It shares obfuscation techniques and direct mentions with the Brokewell banking Trojan, indicating a sophisticated lineage and continuous development in mobile malware. Its design to persist in live sessions rather than just steal static credentials highlights a more insidious threat model. Concurrently, another advanced Android malware, GhostGrab, is targeting Indian users, combining banking credential harvesting with covert Monero cryptocurrency mining, creating a 'dual-revenue stream' for threat actors. This malware utilizes dropper apps impersonating financial services to request high-risk permissions and steal sensitive data including ATM PINs and government IDs. These developments underscore a significant escalation in the sophistication and monetization strategies of mobile banking malware, posing increased risks to financial institutions and their customers globally.