Android Malware Grants Attackers Remote Hands-On Control

A newly identified Android banking trojan and remote access tool, known as Klopatra, has successfully compromised over 3,000 mobile devices throughout Europe. This malicious software cleverly disguises itself as a legitimate IPTV and VPN application, tricking users into installing it from sources outside the official Google Play store. The malware grants attackers comprehensive remote control over infected devices, enabling real-time screen monitoring, gesture simulation, and unauthorized access to sensitive financial data.

Cybersecurity experts at Cleafy report that Klopatra does not appear to be related to any known Android malware families. Evidence suggests it was developed by a Turkish-speaking cybercriminal group. The trojan’s primary objectives include stealing banking login details through overlay attacks, capturing clipboard content and keystrokes, draining bank accounts via a hidden VNC (Virtual Network Computing) system, and gathering information from cryptocurrency wallet applications.

Klopatra infiltrates devices through a dropper application named “Modpro IP TV + VPN,” which is distributed through unofficial channels. The installation process is designed to appear legitimate, but once inside, the malware activates its harmful functions.

To hinder analysis, Klopatra integrates Virbox, a commercial-grade code protection tool that makes reverse-engineering difficult. It also uses native libraries to minimize its Java and Kotlin code footprint and employs NP Manager string encryption in newer versions. The malware includes multiple anti-debugging features, runtime integrity checks, and emulator detection to avoid security research environments.

A critical aspect of Klopatra’s operation is its abuse of Android’s Accessibility service. By convincing users to grant this permission, the malware gains the ability to capture user inputs, simulate taps and gestures, and monitor everything displayed on the screen, including passwords and confidential information.

One of the most dangerous features is a black-screen VNC mode, which allows attackers to remotely operate the device while the screen appears locked or turned off to the victim. This mode supports all actions needed to conduct manual banking transactions, such as tapping specific screen coordinates, swiping, and long-pressing. Klopatra intelligently waits for moments when the device is charging or the screen is off before activating this mode to avoid raising suspicion.

To maintain persistence, Klopatra contains a hardcoded list of package names for widely used Android antivirus applications and attempts to uninstall them. This evasive tactic helps the malware avoid detection and removal by security software.

Based on language clues and development notes, researchers attribute Klopatra to a Turkish threat actor. They have identified several command and control (C2) servers linked to two separate campaigns, which together account for the 3,000 confirmed infections.

Although the operators used Cloudflare to conceal their infrastructure, a configuration error revealed original IP addresses, allowing researchers to connect the C2 servers to a single hosting provider. Since its emergence in March 2025, Klopatra has undergone 40 distinct updates, indicating active development and rapid refinement.

To protect against such threats, Android users should avoid downloading APK files from untrustworthy websites, carefully reject requests for Accessibility Service permissions, and ensure that Google Play Protect remains enabled on their devices.

(Source: Bleeping Computer)