- Klopatra Malware steals banking and crypto data, even when the screen is disabled
- Distributed via a false IPTV + VPN application, request accessibility authorizations for complete device control
- Uses virbox, anti-debt and encryption to escape detection and analysis
Cleafy cybersecurity researchers have discovered a new powerful Android Trojan capable of flying money to banking applications, flying the crypto in hot wallets and even using the device while the screen is off.
Klopatra, an Android malware apparently constructed by a Turkish threat actor, looks like nothing that already exists, which means that the tool has probably been built from zero. It was spotted for the first time in March 2025, and since then had 40 iterations, which means that the group is actively working and develops malware.
Klopatra is distributed through autonomous and malicious pages, rather than in Google’s play store. He uses a drop-down report called ModPro IP TV + VPN, which claims to be an IPTV and VPN application. Once the dropper is installed, he deploys Klopatra who, as usual for malicious applications, requests accessibility services.
Thousands of victims
These authorizations allow hackers to simulate taps, read the content of the screen, steal identification information and control applications in silence – among others.
In addition to stealing people’s money, data and fiddling around the phone, Klopatra also has a list of hard -coded Android names, which it then crosses the device and tries to deactivate.
Malware also makes an additional effort to avoid being detected and analyzed.
He uses Virbox, a legitimate protection and software license platform, which defends applications against confidentiality, reverse engineering and unauthorized use.
In this case, Virbox has been used to prevent cybersecurity researchers from coaching opposite and analyze malware. In addition, he uses native libraries to wear his use Java and Kotlin at least, and recently started using the encryption of NP Manager channels.
The researchers said that malware is delivered with multiple anti-debt mechanisms, execution integrity controls and the ability to detect when he runs in an emulator, thus preventing researchers from dissecting it.
Until now, at least 3,000 aircraft across Europe are infected, said Cleafy.
