Herodotus MaaS smishing campaign targeting Italian and Brazilian users
Campaign
Summary
Hide ▲
Show ▼
A Herodotus smishing campaign is now deploying the Android malware against Italian and Brazilian users, creating a live mobile credential-theft threat. The messages deliver a custom dropper that pushes victims to enable Accessibility access on Android 13+, giving operators deeper control over the device. The payload can mimic human typing, steal banking and crypto credentials, and intercept 2FA codes.
Related Happenings
Wonderland Android SMS stealer activity targeting Uzbekistan
Malware Activity
First: 22.12.2025 08:11
Last: 22.12.2025 08:11
Sources 1
About this happening:
The **Wonderland** Android SMS stealer is being spread through **malicious droppers** in attacks targeting **users in Uzbekistan**, enabling **SMS and OTP theft** and bank-card fr...
Wonderland Android SMS stealer activity targeting Uzbekistan
Malware ActivityAbout this happening: The **Wonderland** Android SMS stealer is being spread through **malicious droppers** in attacks targeting **users in Uzbekistan**, enabling **SMS and OTP theft** and bank-card fr...
TrickyWonders Wonderland distribution campaign targeting Uzbekistan users
Campaign
First: 22.12.2025 08:11
Last: 22.12.2025 08:11
Sources 1
About this happening:
The **TrickyWonders** campaign is distributing **Wonderland** through fake **Google Play** pages, **Facebook** ads, dating-app lures, and **Telegram**, expanding risk to **users i...
TrickyWonders Wonderland distribution campaign targeting Uzbekistan users
CampaignAbout this happening: The **TrickyWonders** campaign is distributing **Wonderland** through fake **Google Play** pages, **Facebook** ads, dating-app lures, and **Telegram**, expanding risk to **users i...
DroidLock Android malware with ransom lock and device-control capabilities
Malware Activity
First: 10.12.2025 23:53
Last: 10.12.2025 23:53
Sources 1
About this happening:
The **DroidLock** Android malware can **lock victim screens for ransom** and steal **messages, call logs, contacts, and audio recordings**, putting infected users at immediate ext...
DroidLock Android malware with ransom lock and device-control capabilities
Malware ActivityAbout this happening: The **DroidLock** Android malware can **lock victim screens for ransom** and steal **messages, call logs, contacts, and audio recordings**, putting infected users at immediate ext...
Albiriox Austrian-targeting distribution campaign
Campaign
First: 01.12.2025 10:45
Last: 01.12.2025 10:45
Sources 1
About this happening:
The **Albiriox** distribution campaign targeted **Austrian victims**, using **German-language SMS lures** and fake **Google Play Store** listings to deliver a dropper APK and enab...
Albiriox Austrian-targeting distribution campaign
CampaignAbout this happening: The **Albiriox** distribution campaign targeted **Austrian victims**, using **German-language SMS lures** and fake **Google Play Store** listings to deliver a dropper APK and enab...
Russia-aligned Signal linked-devices account hijacking campaign
Campaign
First: 25.11.2025 08:42
Last: 25.11.2025 08:42
Sources 1
About this happening:
**Multiple Russia-aligned threat actors** are running an active **Signal account hijacking** campaign that abuses the app's **linked devices** feature. The operation has been visi...
Russia-aligned Signal linked-devices account hijacking campaign
CampaignAbout this happening: **Multiple Russia-aligned threat actors** are running an active **Signal account hijacking** campaign that abuses the app's **linked devices** feature. The operation has been visi...
Timeline
-
28.10.2025 12:00 1 articles · 7mo ago
Herodotus MaaS smishing targets Italian and Brazilian users
Initial DisclosureHerodotus, a new Android malware family offered as malware-as-a-service and linked to Brokewell operators, is being deployed against Italian and Brazilian users through SMS phishing that delivers a custom dropper. The malware uses random 0.3 to 3 second delays in text input to mimic human typing, attempts to bypass Accessibility permission restrictions on Android 13 and later, and can interact with the Android UI to steal banking and crypto credentials, intercept 2FA codes, and capture screen content.
Show sources
- New Herodotus Android malware fakes human typing to avoid detection — www.bleepingcomputer.com — 28.10.2025 12:00