In late August 2025, Cleafy’s Threat Intelligence team uncovered Klopatra, a new, highly sophisticated Android banking trojan and Remote Access Trojan (RAT) that grants attackers full control of compromised devices and facilitates large-scale financial fraud.
Active campaigns in Spain and Italy have already infected over 3,000 devices, targeting users of major financial institutions and draining accounts while victims sleep.
Klopatra stands out through its integration of Virbox, a commercial-grade code protection tool rarely seen in mobile malware. Combined with a strategic shift of core logic from Java to native C/C++ libraries, this architecture dramatically reduces visibility to static analyzers and runtime detectors.
Virbox wraps the malicious payload in multiple layers of obfuscation, anti-debugging checks, emulator detection, and integrity validation, forcing researchers to expend significant time and resources to reverse-engineer its functions.
These design choices reflect a professionalization of mobile threats, as criminal operators invest in advanced protections to maximize malware lifespan and profitability.
Linguistic clues within the code—such as Turkish-language function names—and metadata from the Command and Control (C2) interface, point decisively to a Turkish-speaking group managing development, deployment, and monetization.
Infection Chain: From Dropper to RAT
Klopatra’s infection begins with a legitimate-looking dropper masquerading as “Mobdro Pro IP TV + VPN.” This pirated streaming app lures users to enable “Install Unknown Apps” permissions. Using a custom “JSON Packer,” the dropper hides the main payload and silently installs it once granted.
Upon installation, the trojan immediately requests Accessibility Services permission. Originally designed to assist users with disabilities, this powerful framework allows Klopatra to:
- Monitor the screen, capturing on-screen text (including passwords and balances).
- Record inputs, functioning as a comprehensive keylogger.
- Simulate taps and gestures, enabling autonomous navigation through banking applications.
Hidden VNC: The Ultimate RAT Capability
At the heart of Klopatra lies a built-in VNC server offering two modes:
- Standard VNC: Displays the device screen to the operator, mirroring user activity.
- Hidden VNC: Activates a black overlay on the victim’s display, making the device appear powered off while the attacker performs actions in full stealth.
This “black screen” trick is initiated via the action_blackscreen command, after which operators can unlock the device using stolen PINs or patterns, launch banking apps, and execute fraudulent transfers without alerting the user.
Overlay Attacks and Data Exfiltration
Complementing direct control is a robust overlay module. When users open targeted banking or cryptocurrency apps, Klopatra fetches custom HTML from its C2 server and injects a perfect replica of the login screen.
Credentials entered by unwitting victims are immediately exfiltrated. Simultaneously, the trojan collects device metadata—model, battery level, installed apps—and packages all data into Base64-encoded JSON objects for transmission to the C2.
Cleafy’s analysis identified two primary botnets:
- adsservices.uk: Nearly 2,433 infections focused on Spain.
- adsservice2.org: Approximately 495 infections targeting Italy.
- A smaller third server (141.98.11.227) also serves Spanish victims.
A fourth domain, guncel-tv-player-lnat.com, appears to function as a staging environment for testing new features, with only nine bots registered across various countries.
Turkish origin is confirmed by function names like ArkaUcKomutIsleyicisi (“Backend Command Handler”), and C2 field names such as etiket, favori_durumu, and bot_notu. Operator notes—colloquial Turkish phrases documenting transaction attempts and PIN codes—provide direct evidence of a vertically integrated Turkish-speaking group handling every phase, from development to fraud execution.
Analysis of the JSON responses sent by the C2 servers revealed that many field names were Turkish words.
Implications and Recommendations
Klopatra released a turning point in mobile malware, bringing desktop-grade protections to Android.
Financial institutions and anti-fraud teams must adopt solutions beyond signature-based detection, focusing on behavioral monitoring at the device level and real-time correlation of transaction anomalies.
Continuous threat intelligence sharing and proactive hunting for Virbox-protected Android samples will be crucial to mitigating this emerging threat.
As criminal groups embrace commercial obfuscation tools and native code frameworks, the security community must respond with improved analysis techniques, sandbox enhancements, and cross-industry collaboration to stay ahead of these sophisticated mobile RATs.
Follow us on Google News, LinkedIn, and X to Get Instant Updates and Set GBH as a Preferred Source in Google.
