Android OS has come a long way, bringing some of the most advanced protection to mobile devices. However, it’s not just the operating system that’s evolving, but so are the threats and attacks targeting it. A new malware strain is making headlines for being harder to detect, and millions of users are now being warned.

ThreatFabric, a Dutch mobile threat intelligence team, is alerting Android users about a new malware called Herodotus, which has recently been advertised by bad actors on underground platforms and channels.

Herodotus is believed to borrow elements from the well-known banking malware Brokewell, which is notorious for stealing credentials and spying on users. Brokewell has previously been used in campaigns across Italy and Brazil.

Malware That Acts Like a Human

What makes Herodotus particularly dangerous is its ability to mimic human typing behavior. According to ThreatFabric, it introduces delays ranging from 0.3 to 3 seconds between actions during typing, unlike the predictable patterns of automated malware. This human-like behavior makes it harder for on-device and software-based security tools to detect, allowing the malware to maintain prolonged access to compromised devices.

Like other advanced spyware, attackers typically trick victims into installing the malware through phishing links sent via SMS or group chats on platforms like Telegram.

Once installed, the app prompts users to grant access by modifying settings on the accessibility page. From there, the malware gains full control of the device and begins spying on screen activity, logging sensitive information such as passwords, security PINs, and cryptographic keys used in financial and cryptocurrency apps. Once compromised, attackers can use this data to siphon funds from accounts.

ThreatFabric also revealed that attackers have deployed malicious websites with fake login screens in countries including Poland, Turkey, the UK, and the USA. These sites capture user credentials upon entry. The developer behind Herodotus is reportedly continuing to refine the malware, and future campaigns are expected to evolve in complexity.

How to Protect Your Android Device

Although there are no confirmed campaigns actively using Herodotus at the moment, Android users are advised to take precautions to protect their devices and data.

One of the most effective steps is to be cautious about what you click. Avoid installing third-party apps, even if they appear legitimate. Stick to downloading apps from the Google Play Store, and always verify that the publisher is reputable.

It’s also important to keep your apps and operating system updated to the latest version. During active threats, Android’s Advanced Device Protection tools should be enabled for added security.

What other tips would you recommend to reduce the risk of these attacks? We’d love to hear your suggestions.

We mark partner links with this symbol. If you click on one of these links or buttons–or make a purchase through them–we may receive a small commission from the retailer. This doesn’t affect the price you pay, but it helps us keep nextpit free for everyone. Thanks for your support!