381/68 Friday, October 3, 2025
Cybersecurity researchers from Cleafy have uncovered a new Android malware named “Klopatra”, which disguises itself as IPTV and VPN apps to infect over 3,000 devices in Europe. Classified as both a Banking Trojan and Remote Access Trojan (RAT), Klopatra comes with advanced capabilities such as real-time screen monitoring, keylogging, clipboard data theft, and a hidden Virtual Network Computing (VNC) mode that allows attackers to take direct control of infected devices.
What makes Klopatra particularly concerning is its abuse of the Android Accessibility Service to gain elevated permissions, record user input, and simulate taps or swipes. In its “black-screen VNC mode”, attackers can secretly conduct financial transactions on compromised devices while the victim believes their phone is locked or in sleep mode. The malware is under continuous development, with features such as string encryption, anti-debugging mechanisms, and checks to prevent execution in emulator environments to avoid detection.
Evidence suggests that Klopatra is developed and operated by Turkish-speaking cybercriminals, with at least two active campaigns traced back to March 2025 and more than 40 updated versions identified since. Researchers warn Android users to avoid downloading APK files from untrusted sources, deny suspicious Accessibility permission requests, and keep Google Play Protect enabled at all times to reduce the risk of infection from stealthy and highly capable malware like Klopatra.
