Klopatra Banking Trojan

A previously unknown Android banking trojan, Klopatra, has compromised over 3,000 devices, with Spain and Italy being the hardest hit. Discovered in late August 2025 by infosec researchers, this sophisticated malware blends remote access trojan (RAT) capabilities with advanced evasion techniques, targeting financial information and enabling fraudulent transactions.

Sophisticated Attack Techniques and Remote Control

Klopatra leverages Hidden Virtual Network Computing (VNC) to gain remote control of infected devices. It uses dynamic overlays to steal credentials and execute unauthorized transactions. Unlike conventional mobile malware, Klopatra integrates native libraries and the commercial-grade Virbox code protection suite, making detection and analysis extremely difficult.

Analysis of the malware's Command-and-Control (C2) infrastructure and linguistic clues indicates a Turkish-speaking criminal group operates Klopatra as a private botnet, rather than offering it as a public malware-as-a-service (MaaS). Since March 2025, 40 distinct builds of the trojan have been identified.

How Victims Are Lured In

Klopatra spreads via social engineering tactics, tricking users into installing dropper apps that masquerade as harmless tools, such as IPTV streaming applications. These apps exploit users' willingness to install pirated software from untrusted sources.

Once installed, the dropper requests permissions to install packages from unknown sources. It then extracts the main Klopatra payload from an embedded JSON Packer. The malware additionally requests Android accessibility services, which, while designed to assist users with disabilities, can be abused to:

• Read screen contents
• Record keystrokes
• Execute actions autonomously

This allows attackers to perform financial fraud without the victim's knowledge.

Advanced Architecture for Stealth and Resilience

Klopatra stands out due to its advanced, resilient design:

• Virbox integration protects the malware from analysis.
• Core functions shifted from Java to native libraries for increased stealth.
• Extensive code obfuscation, anti-debugging, and runtime integrity checks hinder detection.
• Operators gain real-time, granular control via VNC, including the ability to:
• Serve a black screen overlay to hide malicious activity.
• Execute banking transactions secretly.
• Dynamically deliver fake login screens to targeted financial and cryptocurrency apps.

The malware also disables pre-installed antivirus software and can escalate its permissions using accessibility services to prevent termination.

Fraud Execution and Strategic Timing

Klopatra's operators follow a carefully orchestrated attack sequence:

• Check if the device is charging, the screen is off, and the device is idle.
• Reduce screen brightness to zero and display a black overlay.
• Use stolen PINs or patterns to access banking apps.
• Execute multiple instant bank transfers undetected.

This nighttime strategy ensures devices remain powered and unattended, giving attackers an ideal window to operate while victims sleep.

Implications for the Financial Sector

While Klopatra does not reinvent mobile malware, it represents a significant escalation in threat sophistication. By adopting commercial-grade protections and stealth tactics, the operators maximize both profitability and the lifespan of their operations.

Google has confirmed that no infected apps have been found on Google Play, but the malware's reliance on third-party and pirated app distribution channels underscores the ongoing risk to mobile users.