A newly discovered Android banking trojan named Klopatra has infected more than 3,000 devices, with most cases observed in Spain and Italy. First identified by the Italian firm Cleafy in late August 2025, Klopatra is a sophisticated remote access trojan that leverages Hidden VNC to seize full control of compromised smartphones. It employs dynamic overlays to steal credentials and ultimately enables its operators to perform fraudulent financial transactions.
What makes Klopatra particularly advanced is its use of native libraries and the commercial-grade Virbox code protection suite, rarely seen in mobile malware. This combination provides strong obfuscation, anti-debugging protections, and runtime integrity checks, making it exceptionally resilient and difficult to analyze. Researchers believe the malware is being operated as a private botnet by a Turkish-speaking criminal group, as there is no evidence of it being sold on underground markets. Since March 2025, at least 40 distinct builds have been tracked.
Klopatra is distributed through dropper apps masquerading as IPTV streaming tools. Victims are lured into installing these fake apps from untrusted sources, after which the dropper requests permission to install unknown packages and deploys the trojan payload. Once active, the malware abuses Android accessibility services to read screen content, record keystrokes, and automate fraudulent activity. It can grant itself further permissions, uninstall security apps, and deploy overlay login screens atop banking and cryptocurrency applications to harvest credentials.
The operators run carefully orchestrated fraud sequences, often at night when devices are charging and users are inactive. During these sessions, the trojan can dim the screen, display a fake black overlay, and quietly launch banking apps in the background, using stolen PINs to transfer funds. This design allows human operators to carry out fraud in real time while the victim remains unaware.
Klopatra illustrates how mobile malware is becoming more professionalised, adopting commercial-grade protections and advanced stealth techniques to extend its operational lifespan. By combining dynamic overlays, full device takeover, and strong anti-analysis features, it represents a serious threat to mobile banking users.
Users should avoid installing apps from untrusted or unofficial sources, even if they appear to offer free or premium content such as IPTV streaming. Always review requested permissions carefully and be wary of apps asking for accessibility service access without a clear reason. Ensure mobile devices are protected with reputable, up-to-date security software and regularly review bank account activity for suspicious transactions. Organisations in the financial sector should monitor for fraud attempts linked to Klopatra and educate customers about the risks of sideloading apps
If you are worried about any of the threats outlined in this bulletin or need help in determining what steps you should take to protect yourself from the most material threats facing your organisation, please contact your account manager, or alternatively Get in touch to find out how you can protect your organisation.