A previously undocumented Android banking trojan called Klopatra has compromised over 3,000 devices, with a majority of the infections reported in Spain and Italy.
Italian fraud prevention firm Cleafy, which discovered the sophisticated malware and remote access trojan (RAT) in late August 2025, said it leverages Hidden Virtual Network Computing (VNC) for remote control of infected devices and dynamic overlays for facilitating credential theft, ultimately enabling fraudulent transactions.
“Klopatra represents a significant evolution in mobile malware sophistication,” security researchers Federico Valentini, Alessandro Strino, Simone Mattia, and Michele Roviello said. “It combines extensive use of native libraries with the integration of Virbox, a commercial-grade code protection suite, making it exceptionally difficult to detect and analyze.”
Evidence gathered from the malware’s command-and-control (C2) infrastructure and linguistic clues in the associated artifacts suggests that it is being operated by a Turkish-speaking criminal group as a private botnet, given the absence of a public malware-as-a-service (MaaS) offering. As many as 40 distinct builds have been discovered since March 2025.
Attack chains distributing Klopatra employ social engineering lures to trick victims into downloading dropper apps that masquerade as seemingly harmless tools, such as IPTV applications, allowing the threat actors to bypass security defences and completely take control of their mobile devices.
Source: thehackernews.com
