This dangerous new Android malware disguises itself as a VPN or IPTV app - so be on your guard

News
By published

Klopatra has already been upgraded dozens of times

An Android phone being held in the hand
(Image credit: Shutterstock / mindea)
  • Klopatra malware steals banking and crypto data, even when screen is off
  • Distributed via fake IPTV+VPN app, requests Accessibility permissions for full device control
  • Uses Virbox, anti-debugging, and encryption to evade detection and analysis

Cybersecurity researchers Cleafy have discovered a new, powerful Android trojan capable of stealing money from bank apps, stealing crypto from hot wallets, and even using the device while the screen is off.

Klopatra, an Android malware apparently built by a Turkish threat actor, does not resemble anything that’s already out there, meaning the tool was likely built from scratch. It was first spotted in March 2025, and since then has experienced 40 iterations, meaning the group is actively working on and developing the malware.

Klopatra is being distributed through standalone, malicious pages, rather than Google’s Play Store. It uses a dropper called Modpro IP TV + VPN, which pretends to be an IPTV and VPN app. Once the dropper is installed, it deploys Klopatra which, as usual for malicious apps, requests Accessibility Services permissions.

Thousands of victims

These permissions allow hackers to simulate taps, read screen content, steal credentials, and control apps silently - among other things.

Besides stealing people’s money, data, and fiddling around the phone, Klopatra also has a list of hardcoded Android antivirus names, which it then cross-references with the device and attempts to disable.

The malware also goes an extra mile to avoid being detected and analyzed.

It uses Virbox, a legitimate software protection and licensing platform, that defends apps against privacy, reverse engineering, and unauthorized use.

In this case, Virbox was used to prevent cybersecurity researchers from reverse-engineering and analyzing the malware. Furthermore, it uses native libraries to bring its Java and Kotlin use to a minimum, and recently started using NP Manager string encryption.

The researchers said the malware comes with multiple anti-debugging mechanisms, runtime integrity checks, and the ability to detect when it’s running in an emulator, thus preventing researchers from dissecting it.

So far, at least 3,000 devices across Europe are infected, Cleafy said.

You might also like

TOPICS
Sead Fadilpašić

Sead is a seasoned freelance journalist based in Sarajevo, Bosnia and Herzegovina. He writes about IT (cloud, IoT, 5G, VPN) and cybersecurity (ransomware, data breaches, laws and regulations). In his career, spanning more than a decade, he’s written for numerous media outlets, including Al Jazeera Balkans. He’s also held several modules on content writing for Represent Communications.

You must confirm your public display name before commenting

Please logout and then login again, you will then be prompted to enter your display name.