Cybersecurity researchers have disclosed details of a new Android banking trojan named Herodotus, which has been identified in active campaigns targeting mobile device users in Italy and Brazil. The malware is designed to execute device takeover (DTO) attacks. The Dutch security company ThreatFabric released a report on October 28, 2025, detailing the trojan’s advanced capabilities.

A key feature of Herodotus is its design to outsmart anti-fraud systems by mimicking human interaction. In its report, ThreatFabric stated, “Herodotus is designed to perform device takeover while making first attempts to mimic human behaviour and bypass behaviour biometrics detection.” This allows the malware to perform actions on the infected device that appear legitimate to security systems that analyze user behavior patterns to detect fraud.

Herodotus Capabilities and Distribution

The Herodotus trojan was first advertised on underground forums on September 7, 2025, as part of a malware-as-a-service (MaaS) model. This distribution method allows various threat actors to rent and deploy the malware in their own campaigns. According to its advertisement, Herodotus is built to run on a wide range of Android devices, supporting operating system versions from 9 to 16. Its primary function is to gain full control over a compromised device, enabling attackers to access sensitive financial information and applications.

Connections to the Brokewell Malware

Analysis has revealed that while Herodotus is a new strain, it incorporates elements from another banking malware known as Brokewell. It is assessed that Herodotus is not a direct evolution of Brokewell but has borrowed certain components. The similarities identified by researchers include the obfuscation techniques used to hide the malicious code. Furthermore, direct code references to Brokewell, such as notations like “BRKWL_…”, were found within Herodotus, confirming that its developers leveraged parts of the older malware to create the new trojan.