New Android MaaS “Herodotus”

October 28, 2025 Faeem BLOGS 0

Herodotus is a new Android malware-as-a-service that mimics human typing by injecting randomized delays into its input routines (0.3–3s) to defeat timing- and behavior-based detection. Delivered via smishing to targets in Italy and Brazil, it uses a custom dropper that tricks users into granting Accessibility permissions, then employs overlays, SMS-stealing, screen capture, and credential-phishing pages to commit financial fraud.

Technical highlights

  • Delivery: SMS phishing (smishing) linking to a custom APK dropper.
  • Privilege escalation: Dropper opens Accessibility settings and uses an overlay to hide permission-granting steps.
  • Capabilities after permission: UI interaction (taps, swipes, back), text entry (clipboard paste and simulated typing), overlay injection to mimic banking/crypto apps, screen capture, SMS interception for 2FA codes.
  • Evasion technique: Humanizer mechanism adds random delays (0.3–3s) between text input events to emulate natural typing cadence and bypass behavioural anti-fraud/detection tools.
  • Business model: Offered as MaaS to financially motivated actors; multiple subdomains indicate active adoption.

Why this matters (impact)

  • Behavioural detectors that rely on speed/pattern anomalies for automated UI actions can be bypassed by this simple yet effective randomization.
  • Accessibility permission abuse remains a high-risk vector on modern Android (including Android 13+).
  • Overlays combined with SMS interception and screen capture make this family well-suited for account takeover and financial loss.
  • MaaS distribution accelerates spread and lowers entry barriers for opportunistic fraud gangs.

Immediate actions for Android users

  • Do not install APKs from outside Google Play unless you explicitly trust the publisher.
  • Keep Google Play Protect enabled and up to date.
  • Immediately review newly installed apps and revoke Accessibility permissions for any app that doesn’t need them.
  • Revoke other high-risk permissions (SMS, Screen capture, Draw over other apps) from questionable apps.
  • Be suspicious of SMS links and verify app sources before installing.

Actions for SOC / Mobile security teams

  • Monitor for sudden Accessibility permission grants and correlate with new app installs or unusual UI automation events.
  • Alert on processes or apps that request draw-over, SMS read, and accessibility in quick succession.
  • Add telemetry to detect randomized but human-like typing patterns combined with other automation markers (e.g., repeated taps at exact coordinates, overlay window creation).
  • Hunt for known hosting subdomains and custom dropper domains; block and sinkhole where appropriate.
  • Educate fraud-detection rules to consider multi-signal detection (typing cadence + overlay creation + SMS access) rather than cadence alone.

Summary

Herodotus is a financially-motivated Android MaaS that combines Accessibility abuse, overlays, SMS interception, and human-like typing delays to enable stealthy account takeover via smishing.

Be the first to comment

Leave a Reply

Your email address will not be published.


*


This site uses Akismet to reduce spam. Learn how your comment data is processed.