By Darren Guccione
The Herodotus Android banking Trojan demonstrates an evolving threat vector, one in which malicious code increasingly imitates human behaviuor, inserting subtle pauses and delays to appear human and bypass detection.
It exemplifies how attackers are leveraging automation and agentic intelligence to mimic legitimate user interactions to evade the very systems designed to stop them.
Security tools that rely solely on rhythm, keystroke cadence or user timing will inevitably struggle to identify these new forms of automation. What’s required now is deeper visibility at the process and session level, with the ability to correlate behavioural, contextual and environmental data in real time.
Google’s statement confirming that no infected apps were found on Play and that Play Protect is blocking known variants is reassuring. However, threat actors continue to exploit side-loading, social engineering and third-party app channels – bypassing trusted app ecosystems and preying on user complacency.
It highlights an ongoing challenge in mobile security: platform-level defences can only defend against known threats. Attackers are now deploying polymorphic, AI-enhanced malware capable of altering its behaviour in real time to evade detection.
For organisations – particularly those supporting bring-your-own-device environments – this evolution reinforces the need for continuous behavioural monitoring and identity-first security. Security posture must extend beyond endpoints to session-level analysis, enabling detection of anomalies that appear human but deviate from expected context or privilege level.
This is precisely where zero trust and privileged access management frameworks become critical. Every digital interaction, whether from a human, a bot or an AI agent, must be continuously authenticated, authorised and monitored. Modern threats like Herodotus don’t just exploit software vulnerabilities; they exploit identity verification gaps and over-privileged access.
We are seeing a fundamental shift towards identity-first, AI-assisted cybersecurity, where privilege boundaries are constantly validated, and automation itself is secured. Every entity – human or non-human – must operate within tightly controlled, auditable access boundaries.
By combining real-time session telemetry, command analytics and contextual risk scoring, security teams can enable AI-driven defences that distinguish intent from imitation at machine speed.
The goal isn’t simply to identify malicious activity after the fact, but to prevent privilege misuse or unauthorised automation before it occurs.
The organisations that embrace continuous, context-aware monitoring grounded in zero trust principles will be the best equipped to defend against this new era of adaptive, behaviour-mimicking threats.
The author is CEO & Co-founder, Keeper Security. Views are personal.
