All about the malware-Herodotus

Found alongside Hook and Octo during routine monitoring, the samples more closely resemble Brokewell but include original code for advanced evasion. Active campaigns target users in Italy and Brazil, and the malware is being sold as Malware-as-a-Service by a threat actor named K1R0.

ThreatFabric found Herodotus follows modern banking-trojan trends but adds human-like remote-control input to evade behavioral biometric detection.

Herodotus begins with side-loading often delivered through SMiShing links that lure victims to malicious downloads. A custom dropper circumvents Android 13+ Accessibility Service restrictions by auto-installing the payload, opening the Accessibility settings and displaying a convincing loading overlay that hides the prompts used to grant powerful permissions.

After activation the trojan fingerprints the device by collecting the installed apps and sends that inventory to its command-and-control server, which returns a tailored list of high-value targets and overlay URLs.

The malware then injects realistic-looking fake login screens over legitimate banking apps and intercepts incoming SMS messages so it can harvest credentials and one-time codes in real time.

Where Herodotus stands out is in how it performs input during remote takeover. Instead of pasting whole strings via ACTION_SET_TEXT or the clipboard, which creates instant, machine-like input patterns, it breaks operator-supplied text into single characters and inserts them at randomized intervals.

This per-character, delayed typing produces timing and rhythm very similar to human typing, reducing anomaly signals and making behavioral anti-fraud systems less likely to flag the session as automated.

Herodotus inserts 300–3000 ms delays between keystrokes to mimic human typing and try to fool basic behavioral detectors, though advanced profiling systems can still spot anomalies. Operators enable it with a “Delayed text” checkbox in the control panel.

Indicators of Compromise

Sample

The post Herodotus mimics humans to bypass biometrics appeared first on First Hackers News.

What is PixPirate?

PixPirate is a type of Android banking malware designed to steal sensitive financial information from users. It typically targets Android devices and employs various techniques to evade detection, allowing it to operate stealthily on infected devices. PixPirate is known for its sophisticated methods and poses a significant threat to financial institutions, particularly in regions like Brazil.

In the past, banking malware typically concealed itself by removing its launcher icon using the SetComponentEnabledSetting API.

However, Android 10’s security enhancements made this method ineffective. PixPirate has devised a new tactic to overcome these obstacles, allowing it to vanish from the victim’s view during both reconnaissance and attack phases. As reported by Security intelligence, PixPirate, originating from Brazil, currently remains undetectable by most antivirus software.

PixPirate exploits the accessibility service to acquire remote access trojan (RAT) capabilities, enabling it to monitor user activities and pilfer sensitive information like online banking credentials and credit card details.

Additionally, it can tamper with SMS messages to circumvent two-factor authentication (2FA) measures.

Key features of PixPirate include:

• Application manipulation and control
• Keylogging
• App inventory collection
• App installation and removal
• Device screen locking and unlocking
• Access to phone accounts and contact lists
• Device location tracking
• Anti-VM and anti-debug features
• Persistence after reboot
• Spreading via WhatsApp
• SMS message manipulation
• Disabling Google Play Protect

With these capabilities, PixPirate can engage in on-device fraud (ODF), carrying out transactions from the victim’s device to evade detection by bank security systems.

Recently, cybersecurity professional Shah Sheikh tweeted about PixPirate, highlighting its characteristics as a Brazilian financial malware crafted to evade detection on the victim’s system.

The Infection Flow of PixPirate

Unlike typical financial malware that relies on a single Android Package (APK), PixPirate comprises two components. The downloader app isn’t just a conduit for installing the droppee; it actively participates in executing the malware, maintaining communication, and sending commands.

Victims are typically infected through malicious links sent via WhatsApp or SMS phishing messages. The downloader disguises itself as a legitimate banking app, deceiving victims into installing an “update” that is, in fact, the PixPirate malware.

PixPirate’s droppee app lacks a primary activity, making it devoid of a launcher icon and invisible on the home screen. The downloader app initiates the droppee, which would otherwise remain dormant. This technique guarantees the malware’s persistence even if the victim removes the downloader.

It targets the Brazilian instant payment platform Pix, redirecting funds to fraudsters’ accounts by manipulating transactions.

The malware captures login credentials when the user opens a banking app and executes unauthorized transfers.

Users and financial institutions must stay vigilant and informed about such malware to safeguard against these evolving threats.

‍Follow Us on: Twitter, Instagram, Facebook to get the latest security news!

The post PixPirate, an Android banking malware appeared first on First Hackers News.

SpyNote: Android spyware

F-Secure reports that the trojan in question is typically disseminated through SMS phishing campaigns, which entice users to unknowingly download spyware onto their devices by clicking a malicious link embedded within the message.

SpyNote gains access to call logs, camera, SMS messages, and external storage while concealing its presence from both the primary Android screen and the Recents screen, effectively making detection challenging.

“The SpyNote malware app, as noted by F-Secure researcher Amit Tambe, can be initiated through an external trigger. Subsequently, it initiates its core malicious activities. Most notably, it actively seeks accessibility permissions, aiming to acquire additional privileges, including audio and telephone call recording permissions, keystroke logging capabilities, and the ability to capture screenshots of the phone through the MediaProjection API.”

A detailed examination of the malware by F-Secure uncovered the existence of so-called “diehard services,” which create complications when attempting to terminate the spyware, whether it’s the victims or the operating system itself trying to do so.

“The SpyNote sample is spyware that captures and pilfers a range of information, encompassing keystrokes, call logs, data regarding installed applications, and more,” Tambe explained. “It lurks discreetly on the victim’s device, evading easy detection and rendering the uninstallation process exceptionally challenging.”

The victim will be forced to do restore factory settings, thus losing all its other data.

Spyware presents multiple hazards, and it is imperative to comprehend its implications and implement protective measures. Among the foremost concerns linked to spyware are the invasion of privacy and the risk of data breaches.

Spyware poses a significant threat to our privacy as it stealthily infiltrates our devices, potentially harvesting critical personal and financial data that can subsequently be exploited for further malicious activities.

Beyond the privacy concerns, spyware can result in more extensive data breaches, encompassing personal and financial information, confidential corporate data, and other sensitive content. When this data is exposed, it can trigger substantial financial losses, disrupt trust and transparency, and potentially jeopardize national security.

The post SpyNote: Android spyware records your calls appeared first on First Hackers News.

Zanubis: The Android banking trojan

Discovered initially in August 2022, this malware focuses on Peruvian bank users and cryptocurrency holders, disguising itself as authentic Android applications. Zanubis manipulates users into granting Accessibility privileges, effectively relinquishing control of their devices.

What distinguishes Zanubis is its growing sophistication, as detailed in a recent Kaspersky report. This Trojan employs the Obfuscapk Obfuscator for Android APK archives, rendering it challenging to identify.

Upon infiltrating the victim’s device, it loads a genuine SUNAT website through WebView, effectively creating a facade of legitimacy. The Trojan establishes continuous communication with its controlling server via WebSockets and a library known as Socket.IO, ensuring connectivity even in challenging circumstances.

A concerning aspect of the Zanubis banking trojan is its adaptability. It can be remotely reconfigured to steal data from specific applications and establish a secondary connection, granting full control over compromised devices. It can also mimic an Android update, potentially disabling the device.

In the same report, Kaspersky researchers highlight additional threats alongside Zanubis. Among these is AsymCrypt, a cryptor/loader specifically engineered to target cryptocurrency wallets.

Furthermore, researchers discussed Lumma stealer, formerly known as Arkei, which retains 46% of its original features. It disguises itself as a .docx to .pdf file converter and activates its payload when the files return with a double .pdf.exe extension. Lumma primarily focuses on crypto wallets, pilfering cached files, configuration files, and log files.

Tatyana Shishkova, Chief Security Researcher at Kaspersky’s GReAT, stressed the need for continuous vigilance and staying informed about ever-evolving threats.

“The dynamic nature of these threats, exemplified by Lumma and the Zanubis banking trojan, highlights the ever-evolving malware landscape,” he noted.

“Expert reports are crucial for staying informed about the latest malicious tools and attacker techniques, empowering us to maintain an edge in the continuous struggle for digital security.”

To mitigate financially motivated threats, Kaspersky suggests implementing preventive measures such as offline backups, utilizing ransomware protection tools, and adopting dedicated security solutions.

In the modern age, malware stands out as a prominent digital security threat, targeting devices with the intent to pilfer personal information or carry out unauthorized malicious activities.

The post Zanubis: The Android banking trojan gets even more dangerous appeared first on First Hackers News.