Cybersecurity specialists at Kaspersky have found an Android malware previously unknown, called Herodotus. This malware employs highly sophisticated methods to evade detection by anti-fraud solutions. This malware first came onto our radar back on September 7, 2025, on underground forums. As a malware-as-a-service (MaaS), it lets cybercriminals bypass Android defenses quickly and easily.
Herodotus aims at Android devices from version 9 to 16 and uses accessibility services to carry out its malicious activities. For example, this advanced malware is able to intercept two-factor authentication (2FA) codes sent over SMS. It can monitor all screen displays and give itself whatever other permissions it requires on the fly.
Advanced Evasion Techniques
Herodotus is surprisingly good at impersonating humans as well. This trait due to their ability presents a significant challenge in detection and eradication. Herodotus creates the illusion of normal user interaction by introducing random delays between synthetic text input events. These delays range from a 300 ms delay to a 3000 ms delay.
“Such a randomization of delay between text input events does align with how a user would input text. By consciously delaying the input by random intervals, actors are likely trying to avoid being detected by behaviour-only anti-fraud solutions spotting machine-like speed of text input.”
This targeted tactic keeps the malware under the radar of behavioral biometrics detection systems. Those are specifically built to recognize bot-like behavior.
Experts from ThreatFabric have noted that Herodotus is carefully crafted for device takeover. Yet even more deeply anthropocentrically it makes clumsy first steps to imitate human behavior. This new ability is a dangerous weapon against users’ personal and financial information.
Data Theft and Financial Exploitation
Herodotus is more than just a tool to avoid detection, though it was specifically created to systematically collect highly sensitive financial data. This extends to their banking credentials, debit card details and one-time passwords (OTPs) sent through SMS.
“It is engineered to systematically harvest sensitive financial information, including banking credentials, debit card details, and one-time passwords (OTPs) via SMS interception.” – CyFIRMA
Herodotus doesn’t just gather information. Herodotus can drop remote APKs. This is a very potent capability that malicious actors can leverage in order to fully compromise devices that are infected. It asks for a broad, high-risk set of permissions that includes the ability to forward calls. This makes it easier to steal SMS data, creating many new ways to exploit it.
User Vulnerabilities and Security Risks
The inclusion of Herodotus poses serious and imminent threats to the security and privacy of users. Beyond persistence, the malware includes the ability to steal lockscreen PIN codes and patterns, adding an extreme layer of invasiveness. This creates an incredible threat to people and institutions.
With hackers constantly finding new and more advanced ways to break through, it is up to users to be aware. People need to be aware of the red flags that indicate a malware infection. They need to be equally proactive to secure their devices.