Security researchers at Cleafy have identified Klopatra, a previously undocumented Android banking trojan combined with a full-fledged remote access tool (RAT). The malware is distributed via a sideloaded IPTV/VPN app and has already led to more than 3,000 unique infections. Klopatra stands out by blending traditional credential theft with covert, operator-driven control of the device through a hidden VNC mode that renders a “black screen” to the victim.
Discovery and attribution: independent Android banker lineage
Cleafy’s analysis indicates Klopatra is not a variant of known Android malware families, suggesting an independent codebase and development lineage. The researchers assess likely ties to actors linked with the Turkish cybercrime ecosystem. This “genetic” independence complicates signature-driven detection and underscores a broader market diversification among Android banking trojans.
Infection chain: sideloaded IPTV/VPN dropper outside Google Play
Initial compromise occurs through a dropper application named Modpro IP TV + VPN distributed outside Google Play. The threat leverages sideloading—users manually installing APKs from untrusted sources—bypassing Google’s built-in vetting. This remains a primary infection vector for Android threats, particularly for apps promising premium features (e.g., free IPTV or VPN).
Capabilities: overlays, Accessibility abuse, and screen monitoring
Klopatra targets banking credentials using phishing-style overlay screens that mimic legitimate app interfaces, intercepts clipboard contents, and abuses the Accessibility Service to capture input events. The malware can monitor the screen in real time, enabling the extraction of passwords and one-time codes, and can simulate taps, swipes, and gesture navigation to execute actions autonomously within financial apps.
Hidden VNC “black screen”: manual fraud at scale
A defining feature is its covert VNC mode. While the operator remotely controls the device, the victim sees a black, seemingly inactive screen. The RAT supports precise tap coordinates, swipes, and long presses—enough to perform manual banking transactions and interact with sensitive applications without user awareness.
Stealth triggers reduce user suspicion
Klopatra checks whether the device is charging and the screen is off before activating remote control. This timing lowers the chance of detection and increases the success rate of unauthorized operations.
Defense evasion and anti-analysis techniques
The malware uses commercial protection Virbox, employs native libraries to reduce Java/Kotlin artifacts, and encrypts strings with NP Manager to hinder reverse engineering. To improve persistence, Klopatra includes a hardcoded list of popular mobile antivirus products and attempts to uninstall them, degrading both consumer and enterprise defenses.
Infrastructure and campaign scale
Cleafy links activity to multiple command-and-control (C2) servers spanning at least two campaigns. Since March 2025, researchers have observed around 40 distinct builds, indicating rapid iteration and active development. In total, the cluster exceeds 3,000 infected devices, with indicators pointing to continued expansion.
Why it matters: Android banker trends and crypto risk
Klopatra highlights a persistent trend in mobile fraud: systematic abuse of Accessibility for input interception and UI automation, combined with real-time operator control when automation alone falls short. Notably, the malware enumerates cryptocurrency wallet applications, raising the risk of direct theft of digital assets alongside traditional banking fraud.
Mitigation: practical steps for users and enterprises
- Install only from Google Play; verify developers and reviews. Avoid third-party APKs, especially “free IPTV/VPN” apps advertising premium features.
- Restrict Accessibility permissions to apps that genuinely need them. Review granted permissions regularly.
- Keep Google Play Protect enabled, promptly apply OS/app updates, and use multi-factor authentication for banking.
- Watch for compromise signals: unexpected overlays, fast battery drain, missing antivirus, or spontaneous device actions.
- Enterprises should enforce MDM/MAM controls, block sideloading, monitor Accessibility anomalies, and filter C2 traffic at the network layer.
Klopatra exemplifies the evolution of Android banking malware, combining overlays, Accessibility abuse, and stealthy remote access to maximize fraud potential across banking and crypto targets. Reducing sideloading, tightening permission hygiene, and maintaining layered defenses are critical. At the first sign of compromise, isolate the device, change credentials from a trusted system, and engage security professionals to limit financial impact and accelerate recovery.
