A previously undocumented Android banking trojan called Klopatra has compromised over 3,000 devices, with a majority of the infections reported in Spain and Italy.
Italian fraud prevention firm Cleafy, which discovered the sophisticated malware and remote access trojan (RAT) in late August 2025, said it leverages Hidden Virtual Network Computing (VNC) for remote control of infected devices and dynamic overlays for facilitating credential theft, ultimately enabling fraudulent transactions.
“Klopatra represents a significant evolution in mobile malware sophistication,” security researchers Federico Valentini, Alessandro Strino, Simone Mattia, and Michele Roviello said. “It combines extensive use of native libraries with the integration of Virbox, a commercial-grade code protection suite, making it exceptionally difficult to detect and analyze.”
Evidence gathered from the malware’s command-and-control (C2) infrastructure and linguistic clues in the associated artifacts suggests that it is being operated by a Turkish-speaking criminal group as a private botnet, given the absence of a public malware-as-a-service (MaaS) offering. As many as 40 distinct builds have been discovered since March 2025.
Attack chains distributing Klopatra employ social engineering lures to trick victims into downloading dropper apps that masquerade as seemingly harmless tools, such as IPTV applications, allowing the threat actors to bypass security defences and completely take control of their mobile devices.
Offering the ability to access high-quality TV channels as a lure is a deliberate choice, as pirated streaming applications are popular among users, who are often willing to install such apps from untrusted sources, thus unwittingly infecting their phones in the process.
The dropper app, once installed, requests the user to grant it permissions to install packages from unknown sources. Upon obtaining this permission, the dropper extracts and installs the main Klopatra payload from a JSON Packer embedded within it. The banking trojan is no different from other malware of its kind, seeking permission to Android’s accessibility services to realize its goals.
While accessibility services is a legitimate framework designed to assist users with disabilities to interact with the Android device, it can be a potent weapon in the hands of bad actors, who can abuse it to read contents of the screen, record keystrokes, and perform actions on behalf of the user to conduct fraudulent transactions in an autonomous manner.
“What elevates Klopatra above the typical mobile threat is its advanced architecture, built for stealth and resilience,” Cleafy said. “The malware authors have integrated Virbox, a commercial-grade code protection tool rarely seen in the Android threat landscape. This, combined with a strategic shift of core functionalities from Java to native libraries, creates a formidable defensive layer.”
“This design choice drastically reduces its visibility to…
Source link
Disclaimer
We strive to uphold the highest ethical standards in all of our reporting and coverage. We blogs.grocliq.com want to be transparent with our readers about any potential conflicts of interest that may arise in our work. It’s possible that some of the investors we feature may have connections to other businesses, including competitors or companies we write about. However, we want to assure our readers that this will not have any impact on the integrity or impartiality of our reporting. We are committed to delivering accurate, unbiased news and information to our audience, and we will continue to uphold our ethics and principles in all of our work. Thank you for your trust and support.
Website Upgradation is going on for any glitch kindly connect at [email protected]
