A previously undocumented Android banking trojan called Klopatra has compromised over 3,000 devices, with a majority of the infections reported in Spain and Italy.
Italian fraud prevention firm Cleafy, which discovered the sophisticated malware and remote access trojan (RAT) in late August 2025, said it leverages Hidden Virtual Network Computing (VNC) for remote control of infected devices and dynamic overlays for facilitating credential theft, ultimately enabling fraudulent transactions.
“Klopatra represents a significant evolution in mobile malware sophistication,” security researchers Federico Valentini, Alessandro Strino, Simone Mattia, and Michele Roviello said. “It combines extensive use of native libraries with the integration of Virbox, a commercial-grade code protection suite, making it exceptionally difficult to detect and analyze.”
Evidence gathered from the malware’s command-and-control (C2) infrastructure and linguistic clues in the associated artifacts suggests that it is being operated by a Turkish-speaking criminal group as a private botnet, given the absence of a public malware-as-a-service (MaaS) offering. As many as 40 distinct builds have been discovered since March 2025.
Attack chains distributing Klopatra employ social engineering lures to trick victims into downloading dropper apps that masquerade as seemingly harmless tools, such as IPTV applications, allowing the threat actors to bypass security defences and completely take control of their mobile devices.
Offering the ability to access high-quality TV channels as a lure is a deliberate choice, as pirated streaming applications are popular among users, who are often willing to install such apps from untrusted sources, thus unwittingly infecting their phones in the process.
The dropper app, once installed, requests the user to grant it permissions to install packages from unknown sources. Upon obtaining this permission, the dropper extracts and installs the main Klopatra payload from a JSON Packer embedded within it. The banking trojan is no different from other malware of its kind, seeking permission to Android’s accessibility services to realize its goals.
While accessibility services is a legitimate framework designed to assist users with disabilities to interact with the Android device, it can be a potent weapon in the hands of bad actors, who can abuse it to read contents of the screen, record keystrokes, and perform actions on behalf of the user to conduct fraudulent transactions in an autonomous manner.
“What elevates Klopatra above the typical mobile threat is its advanced architecture, built for stealth and resilience,” Cleafy said. “The malware authors have integrated Virbox, a commercial-grade code protection tool rarely seen in the Android threat landscape. This, combined with a strategic shift of core functionalities from Java to native libraries, creates a formidable defensive layer.”
“This design choice drastically reduces its visibility to traditional analysis frameworks and security solutions, applying extensive code obfuscation, anti-debugging mechanisms, and runtime integrity checks to hinder analysis.”
Besides incorporating features to maximize evasion, resilience, and operational effectiveness, the malware provides operators with granular, real-time control over the infected device using VNC features that are capable of serving a black screen to conceal the malicious activity, such as executing banking transactions without their knowledge.
Klopatra also uses the accessibility services to grant itself additional permissions as required to prevent the malware from being terminated, and attempts to uninstall any hard-coded antivirus apps already installed on the device. Furthermore, it can launch fake overlay login screens atop financial and cryptocurrency apps to siphon credentials. These overlays are delivered dynamically from the C2 server when the victim opens one of the targeted apps.
It’s said the human operator actively engages in fraud attempts over what’s described as a “carefully orchestrated sequence” that involves first checking if the device is charging, the screen is off, and is currently not being actively used.
If these conditions are met, a command is issued to reduce the screen brightness to zero and display a black overlay, giving the impression to the victim that the device is inactive and off. In the background, however, the threat actors use the device PIN or pattern previously stolen to gain unauthorized access, launch the targeted banking app, and drain the funds through multiple instant bank transfers.
The findings show that although Klopatra doesn’t try to reinvent the wheel, it poses a serious threat to the financial sector owing to a technically advanced assemblage of features to obfuscate its true nature.
“Klopatra marks a significant step in the professionalization of mobile malware, demonstrating a clear trend of threat actors adopting commercial-grade protections to maximize the lifespan and profitability of their operations,” the company said.
“The operators show a clear preference for conducting their attacks during the night. This timing is strategic: the victim is likely asleep, and their device is often left charging, ensuring it remains powered on and connected. This provides the perfect window for the attacker to operate undetected.”
The development comes a day after ThreatFabric flagged a previously undocumented Android banking trojan called Datzbro that can conduct device takeover (DTO) attacks and perform fraudulent transactions by preying on the elderly.
