Cybersecurity firm ThreatFabric has discovered a new Android banking trojan called Herodotus, which can fake human-like behavior during remote-control sessions to avoid security systems.
The malware intercepts SMS 2FA codes, uses overlay pages to steal login credentials, and abuses accessibility services to control devices and perform fraudulent transactions. By adding 0.3–3 second delays and simulated swipes/taps, it appears like a real user rather than a bot.
Active in Italy and Brazil, Herodotus spreads via fake apps and SMiShing links, then hides behind overlays while stealing data. It’s already being marketed as Malware-as-a-Service (MaaS).
Google says no infected apps are on Play Store, and Play Protect blocks known versions. Users are advised to avoid sideloading, ignore suspicious links, and keep Play Protect enabled.
Source: Android Authority
