Herodotus is a new family of Android malware that cleverly imitates human typing patterns to avoid detection by security software. It achieves this through a mechanism that introduces random delays of 0.3 to 3 seconds between keystrokes, making its actions appear more human-like. This malware, offered as a malware-as-a-service (MaaS), is linked to the same cybercriminals behind Brokewell and is currently targeting users in Italy and Brazil via SMS phishing, or smishing. Once a victim clicks on a malicious link in a phishing text, a custom dropper installs the malware by bypassing Accessibility restrictions in Android 13 and later versions. The dropper tricks users into granting permissions by showing a fake loading screen while it operates in the background. With these permissions, Herodotus can interact with the device’s user interface, execute commands, and capture sensitive information. It also features capabilities such as creating custom SMS texts, overlay pages that mimic legitimate banking apps to steal credentials, and intercepting two-factor authentication codes. Threat Fabric has identified multiple subdomains linked to the Herodotus malware, indicating a growing operational presence. For Android users, the recommended precautions include avoiding APK downloads from untrusted sources and keeping Google Play Protect enabled. It’s also crucial to review and revoke unnecessary permissions for new apps, especially Accessibility permissions, to minimize the risk of infection.