- Herodotus malware mimics human typing to avoid timing-based antivirus detection
- Spread via SMS phishing, it installs silently using fake screens and bypassing permissions
- Researchers urge Android users to use Play Protect and avoid unofficial app sources
One of the ways mobile antivirus programs detect malicious activity is through so-called “timing-based” detections.
When malware seeks to grant itself various Android permissions, download apps, or perform other activities (such as tapping, swiping, or scrolling), it does so in an automated, robotic manner, unlike humans, who would normally have uneven intervals and various pauses.
Antivirus programs can detect these unusual behavior patterns and through them identify potential malware. But not with Herodotus.
Herodotus
Security researchers Threat Fabric recently discovered a brand new Android malware, named after the famous Greek historian, which includes a ‘humanizer’ mechanism for text input.
This mechanism generates random delays in activity ranging from 0.3 to 3 seconds, similar to how an actual human would type.
“Such randomization of delay between text input events is consistent with how a user would enter text,” Threat Fabric said in its report. “By intentionally delaying the input at random intervals, actors are likely trying to avoid detection by behavioral anti-fraud solutions that mock machine-like speed of text input.”
Herodotus is currently offered to cybercriminals as a malware-as-a-service (MaaS) and, although still in development, is also in active use.
Some Italian and Brazilian Android users were already infected, Threat Fabric warned, saying the attacks started through SMS phishing (smishing).
In the SMS, the victim receives a link to a custom dropper that installs the primary payload and attempts to bypass access permission restrictions. If successful, it shows the victim a fake loading screen while installing the malware in the background.
The researchers say that several threat actors are currently using Herodotus’ services and encourage Android users to only download apps from reputable sources (for example, the Play Store). Additionally, they encourage users to enable Play Protect and revoke risky permissions for recently installed apps.
Via Bleeping Computer
The best antivirus for all budgets
Follow TechRadar on Google News and add us as a preferred source to get our expert news, reviews and opinions in your feeds. Be sure to click the Follow button!
And of course you can too follow TechRadar on TikTok for news, reviews, video unboxings, and get regular updates from us on WhatsApp also.
