A new banking trojan called Klopatra is making waves in the Android world. It disguises itself as seemingly harmless apps like IPTV or VPN services, but in reality, it has already managed to infect over 3,000 devices across Europe.
Klopatra is not just any malware. It’s a remote access trojan (RAT) with highly advanced capabilities: it can view what you’re doing on your screen in real time, log everything you type, simulate gestures, and even activate a hidden remote control mode using VNC technology—allowing attackers to operate the device as if it were in their hands.
According to researchers at Cleafy, this malware appears to be an entirely new creation, with no ties to other known Android malware families. Evidence suggests it was developed by a group of Turkish-speaking cybercriminals, making it an emerging threat that is still under investigation.
This trojan can display fake screens over your banking apps (a technique known as overlay attacks) to steal your credentials without you noticing. It’s also capable of spying on your clipboard, logging every keystroke, and—most alarmingly—draining your bank accounts using VNC-enabled remote control.
But it doesn’t stop there. Klopatra also targets cryptocurrency wallet apps, gathering as much information as possible to steal digital assets.
A Stealthy Threat on Android: How Klopatra Infiltrates Your Device Without You Noticing
Klopatra doesn’t land on devices by accident. It infiltrates through a malicious app called "Modpro IP TV + VPN," which acts as a dropper to install the actual malware. This app isn’t available on Google Play—it’s distributed outside of official channels, which should already raise red flags.
The Installation Process of Klopatra (Source: Cleafy Labs)
Klopatra is not just any malware—it’s designed to be difficult to analyze and nearly impossible to trace. It uses Virbox, a commercial code protection tool that seriously complicates any reverse engineering attempts.
In addition, it relies on native libraries instead of using much Java or Kotlin code, which reduces its footprint and makes it harder to detect. In its latest versions, it even implements string encryption with tools like NP Manager to keep its internal logic hidden.
But that’s not all. This malware comes equipped with advanced anti-analysis techniques: it includes anti-debugging mechanisms, runtime integrity checks, and detection of virtual environments or emulators to ensure it’s not being monitored by security analysts.
Once installed, Klopatra exploits Android’s accessibility service to grant itself special permissions without the user noticing. This allows it to capture everything you type, simulate taps and gestures as if you were using the device yourself, and monitor the screen in real time to steal passwords, personal data, or any other sensitive information that appears.
Accessibility Permission Request
One of the most dangerous features of Klopatra is its black screen VNC mode, which allows attackers to take full control of the device while the victim believes it’s locked or inactive. At first glance, the phone appears to be off or in sleep mode, but in reality, it’s being controlled remotely.
This mode gives cybercriminals everything they need to carry out banking operations manually: they can simulate taps on specific parts of the screen, swipe up or down, perform long presses, and much more—as if they were using the device with their own fingers.
To avoid raising suspicion, the malware even checks whether the phone is charging or if the screen is off, waiting for the perfect moment to activate this function without the user noticing anything unusual.
Read more: The 10 Most Dangerous Attacks on MCP Servers: How to Defend Yourself
Who Is Behind Klopatra? All Signs Point to a Turkish Group
Although the creators of Klopatra have tried to stay in the shadows, some technical oversights have revealed clues about its origin. By analyzing text fragments in the code and certain references to monetization and development, experts believe this malware is being operated by a group of Turkish-speaking cybercriminals.
During the investigation, several command-and-control (C2) servers were identified, linked to at least two active campaigns that have already affected more than 3,000 unique devices.
Despite attempts by the attackers to cover their tracks by using Cloudflare to protect their infrastructure, a misconfiguration exposed the real IP addresses of the servers, which allowed investigators to trace their location and connect them to a single hosting provider.
Since its emergence in March 2025, Klopatra has shown consistent activity and rapid evolution: more than 40 different versions of the trojan have already been detected, indicating that the project is under active development and continues to enhance its capabilities.
How to Protect Your Android Device from the Klopatra Trojan
Even though Klopatra is an advanced threat, protecting your Android device isn’t difficult if you follow some best practices. At TecnetOne, we recommend the following security measures to avoid infections like this:
-
Avoid downloading APK files from unofficial websites or links received via messages or social media.
-
Be wary of apps that request access to the Accessibility Service, especially if it’s not essential for their functionality. This permission is key for the malware to take control of your device.
-
Enable and keep Google Play Protect active, as it can help detect malicious apps before they’re installed.
-
Keep your device updated with the latest system security patches and regularly used app updates.
-
If something seems suspicious (like unusual battery drain, strange screen behavior, or permissions you don’t remember granting) check your accessibility and device management settings immediately.
Prevention is key. The more informed you are, the harder it will be for attackers to find a way into your phone.