- Klopatra Malware steals bank and crypto data even when the screen is off
- Distributed via FAKE IPTV+VPN -App, requests accessibility permits to control full device
- Uses Virbox, anti-debugging and encryption to avoid detection and analysis
Cybersecurity scientists Cleafy have discovered a new, powerful Android Trojan capable of stealing money from bank apps, stealing crypto from hot wallets and even using the device while the screen is off.
Klopatra, an Android Malware, apparently built by a Turkish threat actor, does not look like something already out there, which means the tool was probably built from scratch. It was first discovered in March 2025, and since then there have experienced 40 iterations, which means that the group is actively working on and developing malware.
Klopatra is distributed through standalone, malicious pages rather than Google’s Play Store. It uses a dropper called ModPro IP TV + VPN that pretends to be an IPTV and VPN app. Once the dropper is installed, the Klopatra, which, as usual, exposes to malicious apps requesting access to accessibility services.
Thousands of victims
These permissions allow hackers to simulate taps, read screen content, steal credentials and check apps silently – among other things.
In addition to stealing people’s money, data and fimming around the phone, Klopatra also has a list of hard-coded Android antivirus names, as it then crosses referrals to the device and tries to disable.
Malware also goes an extra mile to avoid being discovered and analyzed.
It uses Virbox, a legitimate software protection and licensing platform that defends apps against privacy, reverse technique and unauthorized use.
In this case, Virbox was used to prevent cyber security researchers from reverse construction and analysis of malware. In addition, the native libraries use to bring its Java and Kotlin use to a minimum and recently started using NP Manager String encryption.
The researchers said malware comes with multiple antidebugs mechanisms, Runtime integrity control and the ability to detect when driving in an emulator, which prevents researchers from dissecting it.
So far, at least 3,000 units across Europe have been infected, Cleafy said.
