New Android Malware Herodotus Mimics Human Behaviour to Evad...

[carlospolop]

🤖 Automated Content Update

This PR was automatically generated by the HackTricks News Bot based on a technical blog post.

📝 Source Information

• Blog URL: https://www.threatfabric.com/blogs/new-android-malware-herodotus-mimics-human-behaviour-to-evade-detection
• Blog Title: New Android Malware Herodotus Mimics Human Behaviour to Evade Detection
• Suggested Section: generic-methodologies-and-resources/phishing-methodology/mobile-phishing-malicious-apps.md

🎯 Content Summary

What it is: Herodotus is a new Android banking Trojan (Malware-as-a-Service by actor “K1R0”) focused on Device Takeover and credential theft. It blends Brokewell components with original code and introduces a notable anti-detection technique: human-like, per-character text entry with randomized delays.

Infection chain: Distributed via sideloading, typically after SMiShing to a malicious link hosting a dedicated dropper (written by the same develope...

🔧 Technical Details

Accessibility-driven device takeover: Abuse Android Accessibility to enumerate UI nodes (HVNCA11Y), click by selector (CLICKELEMENT, CLICKTXT, CLICKDESC, CLICKHINT) or coordinates (TAP/SWIPE), and execute global actions (Back/Home/Recents). For reliable data entry, inject values directly into target nodes via ACTION_SET_TEXT (sendText1) or clipboard paste (sendText2) to avoid keyboard errors and ensure exact placement.

Human-like text cadence to evade behavior biometrics: Split the payload string into characters and inject each as a discrete event with a randomized 300–3000 ms delay, simulating keystroke rhythm. This degrades simple automation detectors reliant on input speed alone and is toggled by an operator option (e.g., “Delayed text”) in the control panel.

Blocking overlays to conceal f...

🤖 Agent Actions

I analyzed the ThreatFabric post on Herodotus and explored the repository to find the best place to incorporate its technical techniques. The ideal location was indeed the existing page:

• src/generic-methodologies-and-resources/phishing-methodology/mobile-phishing-malicious-apps.md

I read multiple relevant files to ensure there wasn’t already overlapping coverage and to match HackTricks style/structure:

• src/generic-methodologies-and-resources/phishing-methodology/mobile-phishing-malicious-apps.md
• src/mobile-pentesting/android-app-pentesting/accessibility-services-abuse.md
• src/generic-methodologies-and-resources/phishing-methodology/README.md
• src/mobile-pentesting/android-app-pentesting/tapjacking.md
• src/generic-methodologies-and-resources/phishing-methodology/clipboard-hijacking.md

What was missing and added:

• The page already covered Android Accessibility abuse, overlays, ATS automation, and various delivery chains. However, it did not document Herodotus’ notable anti-detection technique: human-like per-character text delivery with randomized delays (0.3–3.0 s), nor the explicit dual text-injection modes (ACTION_SET_TEXT vs clipboard + paste) used to avoid keyboard/IME paths and ensure accurate placement. It also didn’t include the practical detection heuristics around repeated ACTION_SET_TEXT/ACTION_PASTE at human-like cadence and operator overlay blocking controls.
• I added a concise, technical subsection “Accessibility-driven ATS anti-detection: human-like text cadence and dual text injection (Herodotus)” that:
  • Abstracts the technique (discovery enumeration of UI nodes; two text injection modes; randomized per-character delays).
  • Includes an expandable Java sketch showing:
    • Discovery of on-screen elements with bounds (HVNCA11Y-like).
    • Mode 1: progressively setting text with ACTION_SET_TEXT using randomized 300–3000 ms inter-keystroke delays.
    • Mode 2: per-char clipboard + ACTION_PASTE with the same randomized delays.
  • Shows a minimal overlay with adjustable alpha using TYPE_ACCESSIBILITY_OVERLAY and references typical operator commands (opacityOverlay/sendOverlayLoading/removeOverlay).
  • Provides focused detection heuristics for this tradecraft (repeated ACTION_SET_TEXT/ACTION_PASTE at human-like cadence without IME events; overlay active on top of banking apps; sideloaded app opening Accessibility settings).
• I also appended the ThreatFabric Herodotus blog link to the References.

Repository change:

• Modified file: src/generic-methodologies-and-resources/phishing-methodology/mobile-phishing-malicious-apps.md
  • Added the new Herodotus-focused technique section just before the References.
  • Appended to References:
    • New Android Malware Herodotus Mimics Human Behaviour to Evade Detection (ThreatFabric)

No additional files were created or modified. The update keeps the content concise, highly technical, and consistent with HackTricks’ structure and style.

---

This PR was automatically created by the HackTricks Feed Bot. Please review the changes carefully before merging.

📚 Repository Maintenance

• MD files processed: 906
• MD files fixed: 1

All .md files have been checked for proper formatting (headers, includes, etc.).

[carlospolop]

🔗 Additional Context

Original Blog Post: https://www.threatfabric.com/blogs/new-android-malware-herodotus-mimics-human-behaviour-to-evade-detection

Content Categories: Based on the analysis, this content was categorized under "generic-methodologies-and-resources/phishing-methodology/mobile-phishing-malicious-apps.md".

Repository Maintenance:

• MD Files Formatting: 906 files processed (1 files fixed)

Review Notes:

• This content was automatically processed and may require human review for accuracy
• Check that the placement within the repository structure is appropriate
• Verify that all technical details are correct and up-to-date
• All .md files have been checked for proper formatting (headers, includes, etc.)

Bot Version: HackTricks News Bot v1.0