Klopatra: New Android Banking Trojan Uses Hidden VNC to Hijack Smartphones

Klopatra: New Android Banking Trojan Uses Hidden VNC to Hijack Smartphones

A previously undocumented Android malware dubbed Klopatra has emerged as a serious threat to mobile banking users, compromising more than 3,000 devices across Spain and Italy since March 2025.

🛑 How Klopatra Works

Discovered by Italian fraud prevention firm Cleafy, the trojan leverages a blend of advanced tactics to evade detection and maximize impact:

• Hidden Virtual Network Computing (VNC): Grants attackers real-time remote control of infected phones.
• Dynamic Overlay Attacks: Fake login screens deceive users into entering their banking or cryptocurrency credentials.
• Advanced Code Protection: Integrates Virbox and native libraries for obfuscation, anti-debugging, and runtime integrity checks.
• Stealth Operations: Drains accounts while displaying a black screen, making the phone look powered off.

Attackers also uninstall antivirus apps, abuse Android accessibility services, and harvest device PINs to conduct fraud.

🎯 Distribution Method

Klopatra spreads via dropper apps disguised as IPTV streaming tools. After installation, the dropper:

1. Requests permission to install from unknown sources.
2. Deploys the Klopatra payload via an embedded JSON Packer.
3. Gains accessibility privileges, enabling remote control and fraud automation.

Pirated IPTV apps are deliberately used as bait, exploiting users’ willingness to install software from untrusted sources.

🌍 Attribution & Impact

Evidence points to a Turkish-speaking cybercrime group operating Klopatra as a private botnet, rather than a public malware-as-a-service platform.

• At least 40 different builds have been identified since March 2025.
• Operators prefer night-time attacks, when victims are asleep and devices are charging, ensuring uninterrupted fraud attempts.

⚠️ Why Klopatra Is Different

While it doesn’t reinvent mobile malware, Klopatra raises the bar by:

• Adopting commercial-grade protections rarely seen in Android malware.
• Blending stealth, persistence, and resilience in a single package.
• Targeting both financial and cryptocurrency apps.

🛡️ What Users Can Do

• Avoid downloading apps from unofficial sources.
• Check permissions carefully before installing.
• Use mobile security solutions and keep Android devices updated.
• Monitor accounts for unusual activity, especially at night.

Klopatra is another reminder that mobile banking is a prime target for cybercriminals. Alcaeus helps organizations and users defend against such threats with advanced monitoring, fraud detection, and mobile security strategies.