Protect Yourself from Herodotus Android Malware that Simulates Typing to Avoid Detection

The emergence of Herodotus, a recently identified Android malware, has raised significant concerns in the realm of cybersecurity. This malware operates under the model of malware-as-a-service (MaaS), enabling malicious actors to develop and deploy it with relative ease. Utilizing deceptive strategies, Herodotus can mislead users and circumvent various security measures, posing a serious threat to device integrity. In this article, we will delve into the functioning of Herodotus, how it infiltrates devices, and crucial steps to safeguard your digital life.

Understanding How Herodotus Functions

Herodotus is a unique malware creation that integrates features from the infamous Brokewell while introducing its own sophisticated techniques. Distribution methods primarily include SMiShing attacks and rogue web pages that encourage users to sideload the app.

Upon installation, the malware prompts users to enable the Accessibility Service, steering them directly to their device’s settings. This overlay allows Herodotus to execute its malicious tasks, primarily focused on draining bank accounts.

Following activation, it receives tailored commands to open specific applications, intercept two-factor authentication (2FA) SMS messages, fill in forms automatically, and manipulate device input through taps and gestures.

Remarkably, Herodotus mimics natural human typing by introducing random delays of 0.3 to 3 seconds when entering text. This tactic helps it evade detection by behavioral monitoring mechanisms that many apps deploy, making it challenging for standard security solutions to identify the threat. With its availability as a MaaS offering, multiple users can access and utilize it, with reports already indicating seven distinct instances of Herodotus in action.

Preventing Infections by Herodotus

Your first line of defense against Herodotus malware is awareness and caution. As a banking trojan, it masquerades as legitimate applications to persuade users to download it. Exercise extreme caution with links received via SMS or unexpected browser prompts that urge app installation, regardless of whether they purport to be security updates or other essential apps.

Legitimate sources will not request you to sideload applications, as updates typically do not require this. Always obtain apps from the Google Play Store or other trusted repositories, especially when the solicitation seems unsolicited or unusual.

A request to activate the Accessibility Service should raise immediate alarms. Granting this permission allows the malware to observe and manipulate screen content, giving hackers the ability to commandeer your device.

Additionally, ensure that Google Play Protect is enabled within the store, as this feature automatically identifies and disables harmful applications. To check the status, navigate to the Play Store, click on Play Protect in the main menu, and confirm it is active.

Identifying Signs of Herodotus Infection

Due to its elevated access privileges and capabilities to disrupt behavioral tracking, detecting Herodotus may be challenging for average security software. Should you suspect that your Android device may be compromised, look for the following warning signs:

If you encounter a suspicious full-screen prompt urging you to wait, particularly when launching sensitive applications such as banking apps, it could indicate malware activity.
Unknown Apps with Accessibility Permissions: Access permissions should only be granted to trusted applications. Check Settings → Accessibility → Downloaded Apps for unfamiliar entries.

Unexpected SMS Activity: If you begin receiving 2FA SMS messages that you do not recognize, or if they multiply unexpectedly, your device may have been compromised by Herodotus.
Increased Resource Usage: This malware operates numerous background processes that can lead to abnormal battery drain or sluggish performance. Examine Settings → Battery to identify any unfamiliar apps consuming excessive power.

Battery Drain graph showing drain of apps

Steps to Take if Your Device is Infected

Should you confirm that your device is infected with Herodotus, immediately switch your phone to Airplane mode, and follow these essential steps:

Uninstall the Malicious App

Your priority must be to remove the malware. Given its elevated permissions, traditional uninstallation processes may not suffice. If you struggle to uninstall, revisit the Accessibility settings to revoke its permissions.

Furthermore, navigate to Settings → Privacy Protection → Special Permissions to ensure the malware lacks Device Admin or Display over other apps privileges. Booting your device in Android Safe Mode can also facilitate the removal process.

list of Special Permissions in Android Settings

Secure Your Online Accounts

From a secure device, promptly change the passwords for any accounts accessed on the compromised device, particularly banking credentials. Whenever possible, utilize an authenticator app for 2FA and revoke any active sessions via the security settings of your online services. If you detect unauthorized transactions, inform your financial institution immediately.

Perform a Comprehensive Security Scan

After uninstalling the harmful app, it is vital to conduct a security scan to ensure all traces of malware are eradicated. Start by accessing Play Protect in the Google Play Store, as previously mentioned, to perform a scan. Subsequently, consider downloading a trusted antivirus application, such as Avast Antivirus & Security, to execute a full system examination.

For an additional layer of protection against Herodotus, backing up your essential data and performing a factory reset can be prudent measures.

Preventing malware like Herodotus largely hinges on obtaining applications solely from the Google Play Store and refraining from sideloading. Nevertheless, even applications from reputable sources may be compromised, so enabling all available Android security features is crucial for optimal safeguarding.

Source&Images