Talk about geriatric - This devious Android malware escapes detection by typing like an old person

News
By published

Hackers find a creative way to bypass timing-based detections

An Android phone being held in the hand
(Image credit: Shutterstock / mindea)
  • Herodotus malware mimics human typing to evade timing-based antivirus detection
  • Spread via SMS phishing, it installs silently using fake screens and permission bypass
  • Researchers urge Android users to use Play Protect and avoid non-official app sources

One of the ways mobile antivirus programs spot malicious activity is through so-called “timing-based” detections.

When malware seeks to grant itself different Android permissions, download apps, or do other activities (such as tapping, swiping, or scrolling), it does so in an automated, robotic way, unlike humans who would normally have uneven intervals and different pauses.

Antivirus programs can spot these unusual behavior patterns and through them identify potential malware. Not with Herodotus, though.

Herodotus

Security researchers Threat Fabric recently discovered a brand new Android malware, named after the famous Greek historian, that includes a ‘humanizer’ mechanism for text input.

That mechanism generates random delays in activity, ranging from 0.3 to 3 seconds, similar to how an actual human would type.

"Such a randomization of delay between text input events does align with how a user would input text," Threat Fabric said in its report. "By consciously delaying the input by random intervals, actors are likely trying to avoid being detected by behaviour-only anti-fraud solutions spotting machine-like speed of text input."

Herodotus is currently being offered to cybercriminals as a malware-as-a-service (MaaS), and although it’s still under development, it is also in active use.

Certain Italian and Brazilian Android users were already infected, Threat Fabric warned, saying the attacks started through SMS phishing (smishing).

In the SMS, the victim is given a link to a custom dropper that installs the primary payload and tries to bypass Accessibility permission restrictions. If it succeeds, it shows the victim a fake loading screen while it installs the malware in the background.

The researchers are saying that multiple threat actors are currently using Herodotus’ services, and are urging Android users to only download apps from reputable sources (the Play Store, for example). Furthermore, they urge users to activate Play Protect and revoke risky permissions for newly installed apps.

Via BleepingComputer

Best antivirus software header
The best antivirus for all budgets

➡️ Read our full guide to the best antivirus
1. Best overall:
Bitdefender Total Security
2. Best for families:
Norton 360 with LifeLock
3. Best for mobile:
McAfee Mobile Security

Follow TechRadar on Google News and add us as a preferred source to get our expert news, reviews, and opinion in your feeds. Make sure to click the Follow button!

And of course you can also follow TechRadar on TikTok for news, reviews, unboxings in video form, and get regular updates from us on WhatsApp too.

TOPICS
Sead Fadilpašić

Sead is a seasoned freelance journalist based in Sarajevo, Bosnia and Herzegovina. He writes about IT (cloud, IoT, 5G, VPN) and cybersecurity (ransomware, data breaches, laws and regulations). In his career, spanning more than a decade, he’s written for numerous media outlets, including Al Jazeera Balkans. He’s also held several modules on content writing for Represent Communications.

You must confirm your public display name before commenting

Please logout and then login again, you will then be prompted to enter your display name.