Herodotus Trojan Mimics Human Typing to Steal Banking Credentials   A newly discovered Android malware, Herodotus, is alarming cybersecurity experts due to its unique ability to imitate human typing. This advanced technique allows the malware to avoid fraud detection systems and secretly steal sensitive financial information from unsuspecting users. According to researchers from Dutch cybersecurity firm ThreatFabric, Herodotus combines elements from older malware families like Brokewell with newly written code, creating a hybrid trojan that is both deceptive and technically refined. The malware’s capabilities include logging keystrokes, recording screen activity, capturing biometric data, and hijacking user inputs in real time. How users get infected Herodotus spreads mainly through side-loading, a process where users install applications from outside the official Google Play Store. Attackers are believed to use SMS phishing (smishing) campaigns that send malicious links disguised as legitimate messages. Clicking on these links downloads a small installer, also known as a dropper, that delivers the actual malware to the device. Once installed, the malware prompts victims to enable Android Accessibility Services, claiming it is required for app functionality. However, this permission gives the attacker total control,  allowing them to read content on the screen, click buttons, swipe, and interact with any open application as if they were the device owner. The attack mechanism After the infection, Herodotus collects a list of all installed apps and sends it to its command-and-control (C2) server. Based on this data, the operator pushes overlay pages, fake screens designed to look identical to genuine banking or cryptocurrency apps. When users open their actual financial apps, these overlays appear on top, tricking victims into entering login details, card numbers, and PINs. The malware can also intercept one-time passwords (OTPs) sent via SMS, record keystrokes, and even stream live footage of the victim’s screen. With these capabilities, attackers can execute full-scale device takeover attacks, giving them unrestricted access to the user’s financial accounts. The human-like typing trick What sets Herodotus apart is its behavioral deception technique. To appear human during remote-control sessions, the malware adds random time delays between keystrokes, ranging from 0.3 to 3 seconds. This mimics natural human typing speed instead of the instant input patterns of automated tools. Fraud detection systems that rely solely on input timing often fail to recognize these attacks because the malware’s simulated typing appears authentic. Analysts warn that as Herodotus continues to evolve, it may become even harder for traditional detection tools to identify. Active regions and underground sale ThreatFabric reports that the malware has already been used in Italy and Brazil, disguising itself as apps named “Banca Sicura” and “Modulo Seguranca Stone.” Researchers also found fake login pages imitating popular banking and cryptocurrency platforms in the United States, United Kingdom, Turkey, and Poland. The malware’s developer, who goes by the alias “K1R0” on underground forums, began offering Herodotus as a Malware-as-a-Service (MaaS) product in September. This means other cybercriminals can rent or purchase it for use in their own campaigns, further increasing the likelihood of global spread. Google confirmed that Play Protect already blocks known versions of Herodotus. Users can stay protected by avoiding unofficial downloads, ignoring links in unexpected text messages, and keeping Play Protect active. It is also crucial to avoid granting Accessibility permissions unless an app’s legitimacy is verified. Security professionals advise enabling stronger authentication methods, such as app-based verification instead of SMS-based codes, and keeping both system and app software regularly updated.

Herodotus Trojan Mimics Human Typing to Steal Banking Credentials #Android #AndroidTrojans #Banking

Researchers Uncover BankBot-YNRK and DeliveryRAT Android Trojans Stealing Financial Data Cybersecurity researchers have shed light on two different Android trojans called BankBot-YNRK and DeliveryRAT that are capable of harvesting sensitive data from compromised devices. According to CYFIRMA, which analyzed three different samples of BankBot-YNRK, the malware incorporates features to sidestep analysis efforts by first checking its running within a virtualized or emulated environment

iT4iNT SERVER Researchers Uncover BankBot-YNRK and DeliveryRAT Android Trojans Stealing Financial Data VDS VPS Cloud #Cybersecurity #Malware #AndroidTrojans #BankBotYNRK #DeliveryRAT

Datzbro Android Banking Trojan Targets Seniors With Device-Takeover Attacks  Researchers have uncovered a previously undocumented Android banking trojan, dubbed Datzbro, that is being used in device-takeover campaigns aimed squarely at older adults. ThreatFabric, a Dutch mobile security firm, first tied the activity to a social-engineering network in August 2025 after reports emerged of Facebook groups in Australia advertising “active senior trips” that were in fact recruitment channels for the scam. The operation has been observed in multiple countries, including Singapore, Malaysia, Canada, South Africa and the U.K., and relies on community-focused messaging to build trust before delivering malware.  The attackers create convincing Facebook groups and AI-generated posts promoting local events for seniors. When a target shows interest, operators move the conversation to Facebook Messenger or WhatsApp and push a link to download a so-called community app—usually an APK hosted on a fraudulent domain. Those sites promise event registration and networking features but deliver an installer that either installs Datzbro directly or drops a secondary loader built with an APK-binding service called Zombinder, which helps bypass protections introduced in Android 13 and later. Some evidence suggests the fraudsters are preparing iOS TestFlight lures as well, indicating cross-platform ambitions.  Analysts have cataloged multiple malicious app package names used to distribute the trojan, from innocuous-sounding “Senior Group” and “Lively Years” to variants masquerading as popular Chinese apps or tools. Once installed, Datzbro grants itself extensive permissions and weaponizes Android accessibility services to perform actions on behalf of the attacker. It can record audio, capture photos, harvest files, log keystrokes and overlay semi-transparent screens to hide malicious activity from victims. A distinctive feature is its “schematic remote control” mode, which reports screen layout, element positions and content back to operators so they can reconstruct interfaces remotely and direct the device as if they were looking over the victim’s shoulder.  The trojan also filters accessibility event logs for bank or wallet package names and scans for text resembling PINs, passwords or transaction codes. If it finds credentials in cookies or other storage, Datzbro exfiltrates them to the attackers’ back end; it can even steal lock-screen PINs and compromise popular Chinese payment apps such as Alipay and WeChat. ThreatFabric noted Chinese debug strings and a Chinese-language desktop command-and-control application tied to the campaign, suggesting the authors are Chinese-speaking. A compiled C2 client reportedly leaked to public malware repositories, which may accelerate wider abuse by other criminals.  Datzbro’s discovery comes amid broader mobile-banking malware activity. IBM X-Force has described a related AntiDot campaign called PhantomCall that similarly abuses Android features and sideloaded droppers to bypass modern OS protections, while PRODAFT has documented MaaS-style offerings for actors aiming at global banks. Together, these trends reflect a sustained move toward targeted social engineering that exploits community trust to coax vulnerable users into installing powerful remote-control malware.  The rapid evolution of these threats underscores the need for heightened public awareness—especially among seniors—tighter app-distribution controls, and stronger defenses around accessibility permissions and sideloaded software.

Datzbro Android Banking Trojan Targets Seniors With Device-Takeover Attacks #Android #AndroidBankingTrojan #AndroidTrojans