Executive Summary
In October 2025, cybersecurity researchers uncovered a new Android banking trojan, dubbed Herodotus, actively targeting financial institutions and users in Italy and Brazil. The malware stands out by performing sophisticated device takeover (DTO) attacks while mimicking genuine human behavior—specifically attempting to bypass behavioral biometrics and anti-fraud detection. Herodotus infects devices via malicious apps or phishing, granting attackers near-complete control, which they use to exfiltrate sensitive financial and authentication data by simulating legitimate user interaction.
The Herodotus incident underscores a troubling advancement in mobile malware—attackers are increasingly leveraging techniques that closely imitate human behavior to elude cutting-edge security controls. This signals a growing risk for banking apps and enterprises relying on behavioral biometrics, and highlights the urgent need for multilayered zero trust strategies and improved east-west visibility in mobile ecosystems.
Why This Matters Now
Herodotus represents a shifting threat landscape: malware is now engineered to circumvent behavioral biometrics by emulating natural user input. With mobile banking growing rapidly, this evasion technique raises the stakes for organizations relying exclusively on behavior detection, demanding urgent innovation in endpoint protection and security framework adoption.
Attack Path Analysis
The Herodotus Android banking trojan initially compromises victim devices through deceptive apps to enable device takeover. After compromise, it escalates privileges by abusing accessibility services or permissions. The malware communicates laterally to vulnerable internal or cloud-based services for credential harvesting or further access. It establishes command and control channels, often using encrypted or covert traffic to avoid detection. Sensitive banking data is exfiltrated over the network to external attacker infrastructure. Finally, the attacker leverages access for fraudulent transactions, leading to direct financial impact for victims.
Kill Chain Progression
Initial Compromise
Description
Victims are tricked into installing Herodotus malware via deceptive apps, enabling initial device access.
MITRE ATT&CK® Techniques
Device Type Discovery
Access Stored Application Data
Deliver Malicious App via Third-party App Stores
Capture Input/Keylogging
Download New Code at Runtime
Abuse Accessibility Features
Obfuscated Files or Information
Masquerade as Legitimate Application
Potential Compliance Exposure
Mapping incident impact across multiple compliance frameworks.
PCI DSS 4.0 – Strong Authentication for User and Administrator Access
Control ID: 8.3.1
NYDFS 23 NYCRR 500 – Cybersecurity Policy
Control ID: 500.03
DORA (EU Digital Operational Resilience Act) – ICT Risk Management Framework
Control ID: Article 9
CISA Zero Trust Maturity Model 2.0 – Continuous Authentication and Session Monitoring
Control ID: Identity Pillar – Continuous Verification
NIS2 Directive – Security of Network and Information Systems
Control ID: Article 21
Sector Implications
Industry-specific impact of the vulnerabilities, including operational, regulatory, and cloud security risks.
Banking/Mortgage
Android banking trojan Herodotus directly targets financial institutions through device takeover attacks, bypassing biometric authentication systems and anti-fraud detection mechanisms.
Financial Services
Herodotus trojan exploits mobile banking applications using human-like behavior mimicry, compromising customer accounts and enabling unauthorized financial transactions across service platforms.
Insurance
Mobile insurance applications face credential theft risks from Herodotus malware's device takeover capabilities, threatening policy management systems and customer data integrity.
Telecommunications
Mobile network operators must enhance security controls against Herodotus trojan distribution through SMS campaigns and malicious app installations targeting subscriber devices.
Sources
- New Android Trojan 'Herodotus' Outsmarts Anti-Fraud Systems by Typing Like a Humanhttps://thehackernews.com/2025/10/new-android-trojan-herodotus-outsmarts.htmlVerified
- New Android malware acts like a human to avoid detectionhttps://www.androidauthority.com/herodotus-android-malware-mimics-human-3611235/Verified
- Herodotus Android Malware Gains Total Device Access, Bypassing Antivirus Defenseshttps://cyberpress.org/herodotus-android-malware/Verified
- Android malware uses random text delays to look more humanhttps://www.theregister.com/2025/10/28/android_malware_randomly_delays_texts/Verified
Frequently Asked Questions
Cloud Native Security Fabric Mitigations and ControlsCNSF
CNSF and Zero Trust controls, such as segmentation, egress enforcement, east-west traffic visibility, and real-time threat detection, would inhibit malware propagation, detect anomalous behaviors, and restrict C2/exfiltration paths, thus severely limiting Herodotus impact.
Control: Threat Detection & Anomaly Response
Mitigation: Anomalous device behaviors are rapidly detected, triggering containment.
Control: Zero Trust Segmentation
Mitigation: Escalated entities are restricted in lateral network movement.
Control: East-West Traffic Security
Mitigation: Unusual lateral or service-to-service flows are blocked and alerted.
Control: Egress Security & Policy Enforcement
Mitigation: Outbound C2 and unknown destinations are blocked by policy.
Control: Cloud Firewall (ACF)
Mitigation: Data loss via outbound channels is detected and prevented.
Autonomous enforcement isolates impacted workloads before major harm.
Impact at a Glance
Affected Business Functions
- Online Banking
- Mobile Payments
- Customer Account Management
Estimated downtime: 7 days
Estimated loss: $5,000,000
Potential exposure of sensitive customer data, including banking credentials and personal information, due to unauthorized access and data exfiltration by the Herodotus malware.
Recommended Actions
Key Takeaways & Next Steps
- • Implement real-time anomaly detection to rapidly identify device takeover or unusual user behaviors across cloud endpoints.
- • Enforce granular east-west traffic controls and microsegmentation to restrict lateral movement by malware within cloud environments.
- • Apply strict egress filtering and DNS/FQDN controls to disrupt C2 channels and block exfiltration attempts.
- • Utilize zero trust segmentation and least privilege policies to minimize attacker lateral expansion after initial compromise.
- • Deploy centralized threat visibility and automated response to accelerate detection, policy enforcement, and containment.
