CyberHappenings logo
Home Browse About

Track cybersecurity events as they unfold. Sourced timelines. Filter, sort, and browse. Fast, privacy‑respecting. No invasive ads, no tracking.

Herodotus Android malware evades detection with human-like typing

First reported
Last updated
2 unique sources, 2 articles

Summary

Hide ▲

A new Android malware family, Herodotus, uses random typing delays to mimic human behavior and evade detection by security software. The malware is offered as a service to financially motivated cybercriminals and is currently targeting Italian and Brazilian users through SMS phishing. Herodotus bypasses Accessibility permission restrictions in Android 13 and later, allowing it to interact with the user interface and steal sensitive information. The malware includes a 'humanizer' mechanism that introduces random delays in text input to avoid detection by behavioral anti-fraud solutions. It also features a control panel for custom SMS texts, overlay pages for credential theft, and SMS stealing for two-factor authentication interception. Herodotus is spread by multiple threat actors, with seven distinct subdomains detected. The malware is under active development and targets financial organizations in the U.S., Turkey, the U.K., and Poland, along with cryptocurrency wallets and exchanges. It is designed to perform device takeover (DTO) attacks and can steal two-factor authentication (2FA) codes sent via SMS, intercept screen content, grab the lockscreen PIN or pattern, and install remote APK files.

Timeline

  1. 28.10.2025 12:00 2 articles · 13d ago

    Herodotus Android malware targets Italian and Brazilian users

    Herodotus is advertised in underground forums as a malware-as-a-service (MaaS) model. It is designed to perform device takeover (DTO) attacks and targets Android versions 9 to 16. The malware abuses accessibility services to interact with the screen, serve opaque overlay screens, and conduct credential theft. It can steal two-factor authentication (2FA) codes sent via SMS, intercept screen content, grab the lockscreen PIN or pattern, and install remote APK files. Herodotus introduces random delays between 300–3000 milliseconds (0.3–3 seconds) to mimic human typing, making it difficult for behavioral anti-fraud solutions to detect. The malware targets financial organizations in the U.S., Turkey, the U.K., and Poland, along with cryptocurrency wallets and exchanges. It is under active development and appears purpose-built to persist inside live sessions rather than simply steal static credentials.

    Show sources
    Open in new tab

Information Snippets

Similar Happenings

Brickstorm Malware Used in Long-Term Espionage Against U.S. Organizations

The UNC5221 activity cluster, attributed to suspected Chinese hackers, has been using the BRICKSTORM malware in long-term espionage operations against U.S. organizations in the technology, legal, SaaS, and BPO sectors. The malware, a Go-based backdoor, has been active for over a year, with an average dwell time of 393 days. It has been used to steal data from various sectors, including SaaS providers and BPOs. The attackers exploit vulnerabilities in edge devices and use anti-forensics techniques to avoid detection. The malware serves multiple functions, including web server, file manipulation, dropper, SOCKS relay, and shell command execution. It targets appliances without EDR support, such as VMware vCenter/ESXi, and uses legitimate traffic to mask its C2 communications. The attackers aim to exfiltrate emails and maintain stealth through various tactics, including removing the malware post-operation to hinder forensic investigations. The attackers use a malicious Java Servlet Filter (BRICKSTEAL) on vCenter to capture credentials, and clone Windows Server VMs to extract secrets. The stolen credentials are used for lateral movement and persistence, including enabling SSH on ESXi and modifying startup scripts. The malware exfiltrates emails via Microsoft Entra ID Enterprise Apps, utilizing its SOCKS proxy to tunnel into internal systems and code repositories. UNC5221 focuses on developers, administrators, and individuals tied to China's economic and security interests. Mandiant has released a free scanner script to help defenders detect BRICKSTORM. The BRICKSTORM backdoor is under active development, with a variant featuring a delay timer for C2 communication. The attackers have exploited Ivanti Connect Secure zero-day vulnerabilities (CVE-2023-46805 and CVE-2024-21887) for initial access. The attackers have used a custom dropper to install a malicious Java Servlet filter (BRICKSTEAL) in memory, avoiding detection. The attackers have modified init.d, rc.local, or systemd files to ensure persistence on appliances. The attackers have targeted Windows environments in Europe since at least November 2022. The attackers have been linked to other related Chinese threat actors besides UNC5221. The campaign has been monitored by Mandiant since March 2025. The attackers have targeted downstream customers of compromised SaaS providers. The attackers are believed to be analyzing stolen source code to identify zero-day vulnerabilities in enterprise technologies. The attackers use a delay timer to lie dormant on infected systems until a hard-coded date. The malware employs Garble, an open-source tool, for code obfuscation to hide function names, structures, and logic. Brickstorm has been found on VMware vCenter and ESXi hosts, often deployed prior to pivoting to these systems. The attackers use legitimate cloud services like Cloudflare Workers or Heroku for C2 communications. The attackers use dynamic domains like sslip.io or nip.io that point directly to the C2 server’s IP. The attackers favor appliance and management-plane compromise, per-victim obfuscated Go binaries, delayed-start implants, and Web/DoH C2 to preserve stealth. The attackers harvest and use valid high-privilege credentials to appear as routine administrator tasks. The attackers deploy in-memory servlet filters, remove installer artifacts, and embed delayed-start logic to limit forensic traces. The attackers abuse virtualization management capabilities, such as cloning VMs to extract credential stores offline. The attackers deploy an in-memory Java Servlet filter on vCenter to intercept and decode web authentication to harvest high-privilege credentials. The attackers use a SOCKS proxy on compromised appliances to tunnel into internal networks for interactive access and file retrieval. F5 disclosed that unidentified threat actors stole files containing BIG-IP's source code and information related to undisclosed vulnerabilities. The attackers used the BRICKSTORM malware, attributed to a China-nexus espionage group dubbed UNC5221. The attackers were in F5's network for at least 12 months before detection. GreyNoise observed elevated scanning activity targeting BIG-IP in three waves on September 23, October 14, and October 15, 2025. Censys identified over 680,000 F5 BIG-IP load balancers and application gateways visible on the public internet. The attackers used a delay timer to lie dormant on infected systems until a hard-coded date. The malware employs Garble, an open-source tool, for code obfuscation to hide function names, structures, and logic. Brickstorm has been found on VMware vCenter and ESXi hosts, often deployed prior to pivoting to these systems. The attackers use legitimate cloud services like Cloudflare Workers or Heroku for C2 communications. The attackers use dynamic domains like sslip.io or nip.io that point directly to the C2 server’s IP. The attackers favor appliance and management-plane compromise, per-victim obfuscated Go binaries, delayed-start implants, and Web/DoH C2 to preserve stealth. The attackers harvest and use valid high-privilege credentials to appear as routine administrator tasks. The attackers deploy in-memory servlet filters, remove installer artifacts, and embed delayed-start logic to limit forensic traces. The attackers abuse virtualization management capabilities, such as cloning VMs to extract credential stores offline. The attackers deploy an in-memory Java Servlet filter on vCenter to intercept and decode web authentication to harvest high-privilege credentials. The attackers use a SOCKS proxy on compromised appliances to tunnel into internal networks for interactive access and file retrieval.

Open in new tab

New YiBackdoor Malware with Code Overlaps to IcedID and Latrodectus

A new malware family, YiBackdoor, has been identified. It shares significant code overlaps with IcedID and Latrodectus. YiBackdoor can execute arbitrary commands, collect system information, capture screenshots, and deploy plugins. It may be used in conjunction with Latrodectus and IcedID during attacks. YiBackdoor was first detected in June 2025 and is likely under development or testing. YiBackdoor features rudimentary anti-analysis techniques and uses the Windows Run registry key for persistence. It injects its core functionality into the svchost.exe process. The malware's command-and-control (C2) server is extracted from an embedded encrypted configuration, and it supports various commands for system manipulation and plugin management. The malware's limited deployment suggests it is still in development or testing phases.

Open in new tab

Brokewell Android malware campaign targets cryptocurrency users via fake TradingView ads

A malware campaign is using fake TradingView ads on Meta’s advertising platforms to distribute the Brokewell Android malware. The campaign, active since at least July 22, targets cryptocurrency users and seeks to steal sensitive data, gain remote control of devices, and bypass two-factor authentication. The malware is delivered via a malicious APK file hosted on a fake TradingView site. The Brokewell malware features a broad set of capabilities, including data theft, remote monitoring, and control of compromised devices. It can steal cryptocurrency wallets, bank account details, and Google Authenticator codes. The malware also records screens and keystrokes, activates the camera and microphone, and tracks device locations. It can intercept SMS messages, including banking and 2FA codes, and execute remote commands via Tor or Websockets. The campaign is part of a larger operation that previously targeted Windows users with Facebook ads impersonating well-known brands.

Open in new tab