Herodotus Android banking trojan device takeover activity
Malware Activity
Summary
Hide ▲
Show ▼
The Herodotus Android banking trojan is now being used in active campaigns to seize devices and steal banking credentials, increasing fraud risk for mobile financial users. It is delivered through dropper apps masquerading as Google Chrome and uses accessibility services to place fake login screens over financial apps. The malware can steal 2FA SMS codes, intercept screen contents, and capture lockscreen PINs or patterns. It also adds 300–3000 ms random delays to mimic human typing and evade behavior-based anti-fraud detection while spreading beyond Italy and Brazil to financial organizations in the U.S., Turkey, the U.K., Poland, and cryptocurrency services.
Related Happenings
Grandoreiro and BTMOB banking trojan activity targeting Windows and Android
Malware Activity
First: 27.05.2026 19:10
Last: 27.05.2026 19:10
Sources 1
About this happening:
The **Grandoreiro** and **BTMOB** trojans are being used in active campaigns against **Windows** and **Android** targets across **Europe** and **Latin America**, increasing the ri...
Grandoreiro and BTMOB banking trojan activity targeting Windows and Android
Malware ActivityAbout this happening: The **Grandoreiro** and **BTMOB** trojans are being used in active campaigns against **Windows** and **Android** targets across **Europe** and **Latin America**, increasing the ri...
Trapdoor Android malvertising and ad-fraud campaign
Campaign
First: 19.05.2026 19:38
Last: 19.05.2026 19:38
Sources 1
About this happening:
The **Trapdoor** campaign is a **self-sustaining malvertising and ad-fraud operation** targeting **Android users** and turning app installs into revenue through threat-actor-contr...
Trapdoor Android malvertising and ad-fraud campaign
CampaignAbout this happening: The **Trapdoor** campaign is a **self-sustaining malvertising and ad-fraud operation** targeting **Android users** and turning app installs into revenue through threat-actor-contr...
Wonderland Android SMS stealer activity targeting Uzbekistan
Malware Activity
First: 22.12.2025 08:11
Last: 22.12.2025 08:11
Sources 1
About this happening:
The **Wonderland** Android SMS stealer is being spread through **malicious droppers** in attacks targeting **users in Uzbekistan**, enabling **SMS and OTP theft** and bank-card fr...
Wonderland Android SMS stealer activity targeting Uzbekistan
Malware ActivityAbout this happening: The **Wonderland** Android SMS stealer is being spread through **malicious droppers** in attacks targeting **users in Uzbekistan**, enabling **SMS and OTP theft** and bank-card fr...
Cellik Android malware-as-a-service trojanized-app builder
Malware Activity
First: 17.12.2025 00:59
Last: 17.12.2025 00:59
Sources 1
About this happening:
The **Cellik** Android malware-as-a-service has appeared on underground forums with a builder that can create trojanized versions of **Google Play Store** apps, increasing the ris...
Cellik Android malware-as-a-service trojanized-app builder
Malware ActivityAbout this happening: The **Cellik** Android malware-as-a-service has appeared on underground forums with a builder that can create trojanized versions of **Google Play Store** apps, increasing the ris...
DroidLock Android malware with ransom lock and device-control capabilities
Malware Activity
First: 10.12.2025 23:53
Last: 10.12.2025 23:53
Sources 1
About this happening:
The **DroidLock** Android malware can **lock victim screens for ransom** and steal **messages, call logs, contacts, and audio recordings**, putting infected users at immediate ext...
DroidLock Android malware with ransom lock and device-control capabilities
Malware ActivityAbout this happening: The **DroidLock** Android malware can **lock victim screens for ransom** and steal **messages, call logs, contacts, and audio recordings**, putting infected users at immediate ext...
Timeline
-
28.10.2025 18:33 1 articles · 7mo ago
Herodotus first advertised in underground forums
Initial DisclosureHerodotus, an Android banking trojan, is first advertised in underground forums as malware-as-a-service, with claims that it can run on Android version 9 to 16 and support device takeover operations.
Show sources
- New Android Trojan 'Herodotus' Outsmarts Anti-Fraud Systems by Typing Like a Human — thehackernews.com — 28.10.2025 18:33
-
28.10.2025 18:33 1 articles · 7mo ago
Herodotus active campaigns expand across countries and targets
Campaign Scope UpdateHerodotus is observed in active campaigns targeting Italy and Brazil for device takeover, delivered through dropper apps masquerading as Google Chrome (package name "com.cd3.app") and abuse of accessibility services to display opaque overlays, fake login screens, intercept screen contents and 2FA SMS codes, capture lockscreen PINs or patterns, and install remote APK files; the operators also add random 300–3000 millisecond delays to mimic human typing and expand targeting to financial organisations in the U.S., Turkey, the U.K., and Poland, along with cryptocurrency wallets and exchanges.
Show sources
- New Android Trojan 'Herodotus' Outsmarts Anti-Fraud Systems by Typing Like a Human — thehackernews.com — 28.10.2025 18:33