Copyright forbes
Beware this humanized password stealer. SOPA Images/LightRocket via Getty Images Well, it’s been quite the week or so for Google users. What with the news that Gmail passwords were confirmed as being included as part of a 183 million credentials infostealer log, two emergency security updates for Chrome, and an announcement of a wait until October 2026 for HTTPS by default for Chrome browser users as well. Now, harking back to credential-stealers once more, comes the confirmation of a new threat to Android users in the shape of the Herodotus malware that can bypass biometric detection by mimicking human behavior. Here’s what you need to know. ForbesUpdate Now As Microsoft Confirms New Windows Admin ProtectionBy Davey Winder The Android User Threat Posed By Herodotus Newly published research from mobile threat intelligence specialists ThreatFabric has confirmed that a nasty piece of Android malware called Herodotus can mimic human typing and other behaviors to steal passwords and financial credentials while bypassing biometric detection protections. “During routine monitoring of malicious distribution channels,” the ThreatFabric report stated, “the Mobile Threat Intelligence service discovered unknown malicious samples.” These turned out to be a new Android banking trojan by the name of Herodotus which, the analysts said, introduces “groundbreaking techniques to evade detection systems,” to the mobile threat landscape. This is no idea threat or research that is confined to security research labs, either. Active attack campaigns have already been identified in Brazil and Italy, and there is no reason to suspect they will not spread further afield as the malware-as-a-service offering is currently being marketed on underground cybercriminal forums. MORE FOR YOU What flags Herodotus as being different to other banking trojans, the report warned, is the ability to mimic human behaviour during remote control sessions. “The trojan deploys fake credential-harvesting screens over legitimate banking applications,” ThreatFabric said, “capturing login credentials and two-factor authentication codes through SMS interception.” But the text input automation during an attack employs “a novel technique where operator-specified text is split into individual characters, with each character set separately at randomized intervals.” This human-like typing, with random delays of set text events of between 300 to 3000 milliseconds between character input, can evade those biometric protection systems that measure such typing timing. “Android malware containing delays in input is not in itself uncommon,” Aditya Sood, vice-president of Security Engineering at Aryaka, told me, “as they’re typically implemented to allow targeted app UIs to respond to inputs.” But Sood warned that the random nature of the delays, in both frequency and duration, is problematic. “This is a novel technique, and while it's still under development, successful Brazilian and Italian phishing campaigns exemplify its dangerous potential.” ForbesPayPal Users Warned ‘Do Not Pay, Do Not Phone’ As Attackers StrikeBy Davey Winder Editorial StandardsReprints & Permissions
