Herodotus Android malware humanized typing and UI automation activity
Malware Activity
Summary
Hide ▲
Show ▼
The Herodotus Android malware family now uses random 0.3 to 3 second typing delays to make automated input look human and harder for security tools to detect. It is being delivered through SMS phishing and a custom dropper that pressures victims to grant Accessibility permissions on Android 13+. Once active, it can use overlays and UI automation to steal banking credentials and intercept 2FA codes. The result is a stealthier mobile fraud threat for affected Android users.
Related Happenings
Grandoreiro and BTMOB banking trojan activity targeting Windows and Android
Malware Activity
First: 27.05.2026 19:10
Last: 27.05.2026 19:10
Sources 1
About this happening:
The **Grandoreiro** and **BTMOB** trojans are being used in active campaigns against **Windows** and **Android** targets across **Europe** and **Latin America**, increasing the ri...
Grandoreiro and BTMOB banking trojan activity targeting Windows and Android
Malware ActivityAbout this happening: The **Grandoreiro** and **BTMOB** trojans are being used in active campaigns against **Windows** and **Android** targets across **Europe** and **Latin America**, increasing the ri...
BTMOB Android RAT no-code builder malware activity
Malware Activity
First: 26.05.2026 17:00
Last: 26.05.2026 17:00
Sources 1
About this happening:
The **BTMOB** Android RAT is spreading through **phishing campaigns** across **Brazil and beyond**, raising the risk of **custom payload delivery** and **remote device takeover**....
BTMOB Android RAT no-code builder malware activity
Malware ActivityAbout this happening: The **BTMOB** Android RAT is spreading through **phishing campaigns** across **Brazil and beyond**, raising the risk of **custom payload delivery** and **remote device takeover**....
Trapdoor Android malvertising and ad-fraud campaign
Campaign
First: 19.05.2026 19:38
Last: 19.05.2026 19:38
Sources 1
About this happening:
The **Trapdoor** campaign is a **self-sustaining malvertising and ad-fraud operation** targeting **Android users** and turning app installs into revenue through threat-actor-contr...
Trapdoor Android malvertising and ad-fraud campaign
CampaignAbout this happening: The **Trapdoor** campaign is a **self-sustaining malvertising and ad-fraud operation** targeting **Android users** and turning app installs into revenue through threat-actor-contr...
Google Android developer verification rollout for sideloaded apps
Security Tool/Service
First: 31.03.2026 21:28
Last: 31.03.2026 21:28
Sources 1
About this happening:
Google is rolling out **Android developer verification** for apps distributed outside **Google Play**, tightening sideloading controls to make anonymous abuse harder. The first en...
Google Android developer verification rollout for sideloaded apps
Security Tool/ServiceAbout this happening: Google is rolling out **Android developer verification** for apps distributed outside **Google Play**, tightening sideloading controls to make anonymous abuse harder. The first en...
Wonderland Android SMS stealer activity targeting Uzbekistan
Malware Activity
First: 22.12.2025 08:11
Last: 22.12.2025 08:11
Sources 1
About this happening:
The **Wonderland** Android SMS stealer is being spread through **malicious droppers** in attacks targeting **users in Uzbekistan**, enabling **SMS and OTP theft** and bank-card fr...
Wonderland Android SMS stealer activity targeting Uzbekistan
Malware ActivityAbout this happening: The **Wonderland** Android SMS stealer is being spread through **malicious droppers** in attacks targeting **users in Uzbekistan**, enabling **SMS and OTP theft** and bank-card fr...
Timeline
-
28.10.2025 12:00 1 articles · 7mo ago
Herodotus Android malware uses human-like typing delays
Initial DisclosureHerodotus is a new Android malware family offered as malware-as-a-service and used against Italian and Brazilian users through SMS phishing that delivers a custom dropper, requests Accessibility access on Android 13 and later, and then uses overlays and UI automation to steal credentials, intercept 2FA codes, and capture screen content. The malware's humanizer types with random 0.3 to 3 second delays to mimic human behavior and evade timing-based detection, and seven distinct subdomains suggest spread by several threat actors.
Show sources
- New Herodotus Android malware fakes human typing to avoid detection — www.bleepingcomputer.com — 28.10.2025 12:00