"Updated A new Android malware strain, Herodotus, steals credentials, logs keystrokes, streams victims' screens, and hijacks input - but with a twist: it mimics human typing by adding random delays between keystrokes to evade behavioral fraud detection systems. The trojan, named after the ancient Greek Father of History - or Father of Lies - includes pieces of banking malware Brokewell along with original parts, and has been used in device takeover attacks in Italy and Brazil, according to Dutch firm ThreatFabric's mobile threat intelligence team."
"While the researchers haven't seen Herodotus used in any other active campaigns, the threat hunters did obtain overlay pages that mimic legitimate banking and cryptocurrency apps used in the US, UK, Turkey, and Poland. These fake screens overlay the real log-in screen when a user visits a banking app, and this allows the criminals to steal victims' credentials and financial details."
"The malware infects users' devices via side-loading, likely using an SMS phish with a malicious link that includes the dropper, the security researchers wrote in a Tuesday report. This dropper, they note, is also written by K1R0 and, so far, has only been seen distributing Herodotus. After the dropper loads Herodotus, it urges the victim to open Android's accessibility service settings page, which, once enabled, allows the attacker to read, click, and swipe the victim's device screen."
Herodotus is an Android trojan that steals credentials, logs keystrokes, streams victims' screens, and hijacks input while inserting random delays between keystrokes to mimic human typing and evade behavioral fraud detection. The malware reuses Brokewell banking components alongside original code and has been observed in device takeover attacks in Italy and Brazil. Overlay pages impersonate banking and cryptocurrency apps across several countries to harvest login and financial data. Infection is delivered via side-loading, likely through SMS phishing that drops a loader which requests Android accessibility permissions, enabling remote reading, clicking, swiping, and reporting installed packages to a command-and-control server. The developer known as K1R0 sells Herodotus as malware-as-a-service.
Read at Theregister
Unable to calculate read time
Collection
[
|
...
]