Klopatra: New Android RAT Uses Hidden VNC and Commercial Obfuscation to Hijack European Banking Accounts

Cleafy’s Threat Intelligence team uncovered a new and highly sophisticated Android Remote Access Trojan (RAT) named Klopatra. Unlike typical mobile malware, Klopatra has no clear ties to existing malware families, signaling a dangerous evolution in the Android threat landscape.

According to Cleafy, “Klopatra represents a significant evolution in mobile malware sophistication. It combines extensive use of native libraries with the integration of Virbox, a commercial-grade code protection suite, making it exceptionally difficult to detect and analyze.”

At its core, Klopatra is a banking Trojan equipped with a powerful fraud arsenal, including Hidden VNC for complete remote device control and dynamic overlay attacks for credential theft. The malware has already been linked to over 3,000 compromised devices, primarily targeting banking customers in Spain and Italy.

The Klopatra campaign begins with social engineering. Victims are lured into downloading a dropper disguised as a pirated IPTV app called “Mobdro Pro IP TV + VPN.” Once installed, the app requests the critical REQUEST_INSTALL_PACKAGES permission, tricking users into allowing the installation of unknown apps.

As Cleafy explains, “Once permission is obtained, the dropper silently extracts and installs the main Klopatra payload, completing the initial installation process.”

Once active, the Trojan abuses Android Accessibility Services, granting it the ability to monitor screens, capture keystrokes, and execute actions invisibly on behalf of the victim. Cleafy notes, “This single permission grants the malware almost unlimited powers over the device … allowing Klopatra to operate with the same level of authority as the legitimate user, but completely invisibly.”

What sets Klopatra apart is its advanced evasion architecture. By shifting core logic into native code and layering it with Virbox obfuscation, the malware is built for stealth.

Cleafy reports, “Unlike typical Android malware that implements most of its logic in Java/Kotlin, Klopatra shifts its core functionalities to the native layer … integrating robust anti-debugging mechanisms, runtime integrity checks, and emulator detection routines.”

Once established, Klopatra provides operators with two modes of control:

• Standard VNC: Attackers see and interact with the victim’s device in real-time.
• Hidden VNC: The victim’s screen is blacked out, making the phone appear off or locked, while attackers secretly perform banking transactions.

Overlay attacks complement these features by tricking victims into entering banking credentials into fake login screens, which are instantly exfiltrated to the attacker’s C2 servers.

Through linguistic and infrastructure analysis, Cleafy identified the operators as a Turkish-speaking group. Evidence includes variable names in Turkish, C2 panel fields labeled with Turkish terms like “etiket” (label) and “bot_notu” (bot note), and even vulgar operator notes written directly into the malware’s backend.

One note read: “7k atılan piç şifre z” — a frustrated remark likely describing a failed €7,000 fraud attempt and documenting a victim’s device unlock pattern.

Cleafy concludes, “The linguistic consistency between the malware’s code, the C2 panel interface, and the colloquial operational notes … strongly suggests a vertically integrated criminal operation.”

Two main botnets were identified, each tied to European campaigns:

• Spain: Nearly 1,000 active infections controlled via adsservices[.]uk.
• Italy: Around 450 devices compromised through adsservice2[.]org.

A third server, guncel-tv-player-lnat[.]com, appears to function as a staging environment for testing new builds.

Cleafy’s platform even reconstructed a live nocturnal fraud attempt, where attackers waited until the victim’s phone was charging and idle, then:

1. Activated a black overlay.
2. Unlocked the device using previously stolen credentials.
3. Opened the banking app.
4. Initiated multiple instant transfers while the victim slept.

Cleafy warns that Klopatra “marks a significant step in the professionalization of mobile malware, demonstrating a clear trend of TAs adopting commercial-grade protections to maximize the lifespan and profitability of their operations.”

With at least 40 different builds tracked since March 2025, Klopatra is rapidly evolving. The malware’s combination of spyware-like monitoring, RAT-level control, and advanced financial fraud modules makes it a harbinger of future Android threats.

Related Posts:

• VmWare fix two high-risk arbitrary code execution vulnerabilities in several products
• PlayPraetor: New Android RAT Infects 11,000+ Devices with Real-Time On-Device Fraud
• Stealthy WordPress Malware Uncovered: SEO Spam Plugin Mimics Your Domain to Evade Detection
• Over 1,500 Devices Infected: Android Trojan ToxicPanda Targets Banks in Europe and Latin America
• DroidBot: A New Android Threat Exposes Global Financial Institutions