- Herodotus malware mimics human typing to evade timing-based antivirus detection
- Spread via SMS phishing, it installs silently using fake screens and permission bypass
- Researchers urge Android users to use Play Protect and avoid non-official app sources
One of the ways mobile antivirus programs spot malicious activity is through so-called “timing-based” detections.
When malware seeks to grant itself different Android permissions, download apps, or do other activities (such as tapping, swiping, or scrolling), it does so in an automated, robotic way, unlike humans who would normally have uneven intervals and different pauses.
Antivirus programs can spot these unusual behavior patterns and through them identify potential malware. Not with Herodotus, though.
Herodotus
Security researchers Threat Fabric recently discovered a brand new Android malware, named after the famous Greek historian, that includes a ‘humanizer’ mechanism for text input.
That mechanism generates random delays in activity, ranging from 0.3 to 3 seconds, similar to how an actual human would type.
“Such a randomization of delay between text input events does align with how a user would input text,” Threat Fabric said in its report. “By consciously delaying the input by random intervals, actors are likely trying to avoid being detected by behaviour-only anti-fraud solutions spotting machine-like speed of text input.”
Herodotus is currently being offered to cybercriminals as a malware-as-a-service (MaaS), and although it’s still under development, it is also in active use.
Certain Italian and Brazilian Android users were already infected, Threat Fabric warned, saying the attacks started through SMS phishing (smishing).
In the SMS, the victim is given a link to a custom dropper that installs the primary payload and tries to bypass Accessibility permission restrictions. If it succeeds, it shows the victim a fake loading screen while it installs the malware in the background.
The researchers are saying that multiple threat actors are currently using Herodotus’ services, and are urging Android users to only download apps from reputable sources (the Play Store, for example). Furthermore, they urge users to activate Play Protect and revoke risky permissions for newly installed apps.
Via BleepingComputer
The best antivirus for all budgets
Follow TechRadar on Google News and add us as a preferred source to get our expert news, reviews, and opinion in your feeds. Make sure to click the Follow button!
And of course you can also follow TechRadar on TikTok for news, reviews, unboxings in video form, and get regular updates from us on WhatsApp too.
