Herodotus Android banking trojan device takeover activity
Malware Activity
Summary
Hide ▲
Show ▼
The Herodotus Android banking trojan is now being used in active campaigns to seize devices and steal banking credentials, increasing fraud risk for mobile financial users. It is delivered through dropper apps masquerading as Google Chrome and uses accessibility services to place fake login screens over financial apps. The malware can steal 2FA SMS codes, intercept screen contents, and capture lockscreen PINs or patterns. It also adds 300–3000 ms random delays to mimic human typing and evade behavior-based anti-fraud detection while spreading beyond Italy and Brazil to financial organizations in the U.S., Turkey, the U.K., Poland, and cryptocurrency services.
Related Happenings
Rokarolla Android banking trojan activity
Malware Activity
H score26
First: 16.06.2026 16:15
Last: 16.06.2026 16:15
Sources 1
About this happening:
The **Rokarolla** **Android banking trojan** is expanding phone-level control on infected devices, letting attackers steal credentials, intercept authentication codes, and hide fr...
Rokarolla Android banking trojan activity
Malware ActivityAbout this happening: The **Rokarolla** **Android banking trojan** is expanding phone-level control on infected devices, letting attackers steal credentials, intercept authentication codes, and hide fr...
Google rolls out Android fake call detection against AI impersonation scam calls
Security Tool/Service
H score20
First: 03.06.2026 12:02
Last: 03.06.2026 12:02
Sources 1
About this happening:
**Google** is rolling out **fake call detection** on **Android 12 and later** devices this month, giving users a built-in warning when a caller may be using **AI voice-cloning** o...
Google rolls out Android fake call detection against AI impersonation scam calls
Security Tool/ServiceAbout this happening: **Google** is rolling out **fake call detection** on **Android 12 and later** devices this month, giving users a built-in warning when a caller may be using **AI voice-cloning** o...
FBI public service announcement on fake FIFA websites
Public Sector Action
H score21
First: 28.05.2026 22:08
Last: 28.05.2026 22:08
Sources 1
About this happening:
The **FBI** and security researchers warn that **FIFA-themed fraud** is already targeting **World Cup 2026** fans ahead of the **June 11 kickoff**. Reported activity includes **mo...
FBI public service announcement on fake FIFA websites
Public Sector ActionAbout this happening: The **FBI** and security researchers warn that **FIFA-themed fraud** is already targeting **World Cup 2026** fans ahead of the **June 11 kickoff**. Reported activity includes **mo...
Grandoreiro and BTMOB banking trojan activity targeting Windows and Android
Malware Activity
H score25
First: 27.05.2026 19:10
Last: 27.05.2026 19:10
Sources 1
About this happening:
**BTMOB** is an **Android remote access trojan** sold as **malware-as-a-service** on the **clearweb** and in private **Telegram** channels, with a builder that generates customize...
Grandoreiro and BTMOB banking trojan activity targeting Windows and Android
Malware ActivityAbout this happening: **BTMOB** is an **Android remote access trojan** sold as **malware-as-a-service** on the **clearweb** and in private **Telegram** channels, with a builder that generates customize...
Trapdoor Android malvertising and ad-fraud campaign
Campaign
H score39
First: 19.05.2026 19:38
Last: 19.05.2026 19:38
Sources 1
About this happening:
The **Trapdoor** campaign is a **self-sustaining malvertising and ad-fraud operation** targeting **Android users** and turning app installs into revenue through threat-actor-contr...
Trapdoor Android malvertising and ad-fraud campaign
CampaignAbout this happening: The **Trapdoor** campaign is a **self-sustaining malvertising and ad-fraud operation** targeting **Android users** and turning app installs into revenue through threat-actor-contr...
Timeline
-
28.10.2025 18:33 1 articles · 7mo ago
Herodotus first advertised in underground forums
Initial DisclosureHerodotus, an Android banking trojan, is first advertised in underground forums as malware-as-a-service, with claims that it can run on Android version 9 to 16 and support device takeover operations.
Show sources
- New Android Trojan 'Herodotus' Outsmarts Anti-Fraud Systems by Typing Like a Human — thehackernews.com — 28.10.2025 18:33
-
28.10.2025 18:33 1 articles · 7mo ago
Herodotus active campaigns expand across countries and targets
Campaign Scope UpdateHerodotus is observed in active campaigns targeting Italy and Brazil for device takeover, delivered through dropper apps masquerading as Google Chrome (package name "com.cd3.app") and abuse of accessibility services to display opaque overlays, fake login screens, intercept screen contents and 2FA SMS codes, capture lockscreen PINs or patterns, and install remote APK files; the operators also add random 300–3000 millisecond delays to mimic human typing and expand targeting to financial organisations in the U.S., Turkey, the U.K., and Poland, along with cryptocurrency wallets and exchanges.
Show sources
- New Android Trojan 'Herodotus' Outsmarts Anti-Fraud Systems by Typing Like a Human — thehackernews.com — 28.10.2025 18:33