Summary
- The Herodotus trojan pretends to be a banking security module in Brazil, taking control of Android cell phones and stealing data.
- It uses random typing delays to imitate humans, evading detection by antivirus and security systems.
- Herodotus is distributed via phishing and social engineering, creating fake login screens and intercepting sensitive data.
Cybersecurity researchers have identified a new banking Trojan called Herodotus. It works on Android and has a peculiarity: it executes typing commands in a paused manner, to imitate human behavior and circumvent security mechanisms.
According to cybersecurity company ThreatFabric, Herodotus was seen in active campaigns in Brazil and Italy. It has the ability to take full control of the device, installing other apps and stealing information such as bank passwords and authentication codes.
What is Herodotus?
Herodotus is a Trojan horse malware. It is distributed through SMS phishing and social engineering techniques, which trick the victim into voluntarily downloading the malicious app. In Brazil, it leads the target to believe that it is an app called “Stone Security Module”.
The malware arrives on the cell phone disguised as a Google Chrome package. Once installed, it uses Android’s accessibility features to take control of the device.
As ThreatFabric explains, Herodotus is capable of creating fake login screens in financial apps, stealing user logins and passwords. It can also display opaque screens to hide malicious activity.
And it doesn’t stop there: the malware can intercept everything that is on the screen, which allows it to access two-factor authentication codes and lock passwords, for example. It is also capable of changing system permissions to gain even more power over the device, such as installing other apps remotely.
How does Herodotus bypass security?
One of the most curious aspects of Herodotus is its ability to escape Android and antivirus surveillance. Therefore, it behaves differently than expected for malware.
One such tactic is to include random delays between actions, such as during text entry. Between one character and another, there is a delay that can vary between 0.3 and 3 seconds.
If Herodotus put all the text at once, at a high speed, fraud detection tools could more easily detect that it was malware carrying out the actions. With the delays, it looks like a human is typing.
How to protect yourself?
Some simple behaviors can prevent you from becoming a victim of scams of this type:
- Be wary of messages from unknown senders.
- Be wary of messages that create a sense of urgency, such as supposed high-value purchases, loans, requests for help and very advantageous offers.
- Don’t click on unknown links.
- Do not allow the installation of apps from unknown sources on Android.
- Be wary of apps from the Google Play Store — despite it being a controlled environment, malicious or fake apps can escape the store’s security mechanisms.
With information from Hacker News and the Register
Source: https://tecnoblog.net/noticias/malware-que-finge-digitar-como-humano-e-usado-em-ataques-no-brasil/
