- Klopatra malware steals banking and crypto data, even when screen is off
- Distributed via fake IPTV+VPN app, requests Accessibility permissions for full device control
- Uses Virbox, anti-debugging, and encryption to evade detection and analysis
Cybersecurity researchers Cleafy have discovered a new, powerful Android trojan capable of stealing money from bank apps, stealing crypto from hot wallets, and even using the device while the screen is off.
Klopatra, an Android malware apparently built by a Turkish threat actor, does not resemble anything that’s already out there, meaning the tool was likely built from scratch. It was first spotted in March 2025, and since then has experienced 40 iterations, meaning the group is actively working on and developing the malware.
Klopatra is being distributed through standalone, malicious pages, rather than Google’s Play Store. It uses a dropper called Modpro IP TV + VPN, which pretends to be an IPTV and VPN app. Once the dropper is installed, it deploys Klopatra which, as usual for malicious apps, requests Accessibility Services permissions.
Thousands of victims
These permissions allow hackers to simulate taps, read screen content, steal credentials, and control apps silently – among other things.
Besides stealing people’s money, data, and fiddling around the phone, Klopatra also has a list of hardcoded Android antivirus names, which it then cross-references with the device and attempts to disable.
The malware also goes an extra mile to avoid being detected and analyzed.
It uses Virbox, a legitimate software protection and licensing platform, that defends apps against privacy, reverse engineering, and unauthorized use.
In this case, Virbox was used to prevent cybersecurity researchers from reverse-engineering and analyzing the malware. Furthermore, it uses native libraries to bring its Java and Kotlin use to a minimum, and recently started using NP Manager string encryption.
The researchers said the malware comes with multiple anti-debugging mechanisms, runtime integrity checks, and the ability to detect when it’s running in an emulator, thus preventing researchers from dissecting it.
So far, at least 3,000 devices across Europe are infected, Cleafy said.
