Klopatra: New Android RAT Uses Hidden VNC and Commercial Obfuscation to Hijack European Banking Accounts
A new Android banking trojan known as Klopatra has infected more than three thousand smartphones within just a few weeks, the majority of which are located in Spain and Italy. The malware was discovered by the Italian cybersecurity firm Cleafy in late August 2025. Analysis revealed that it is a fully fledged Remote Access Trojan (RAT) employing a combination of sophisticated techniques: a hidden VNC module for device control, dynamic screen overlays for credential theft, and automated transaction execution mechanisms.
Researchers emphasized that Klopatra stands out among similar mobile threats due to its use of technologies rarely seen in Android malware. Its developers integrated Virbox, a commercial code protection system typically reserved for enterprise software, into the trojan’s architecture — a highly uncommon approach in the mobile threat landscape. Moreover, several critical functions were migrated from Java to native libraries, significantly increasing its resistance to analysis. The malware also employs heavy obfuscation, anti-debugging techniques, and runtime integrity checks, making detection and reverse engineering exceedingly difficult.
An investigation into the command-and-control (C2) infrastructure and related artifacts suggests that a Turkish-speaking cybercriminal group is operating Klopatra as a private botnet. Since March 2025, roughly forty distinct builds have been identified. The malware is distributed through droppers disguised as IPTV applications — a deliberate choice, as such pirated services are popular and often installed from unverified sources, exposing users to infection risks.
After installation, the dropper requests permission to install packages from unknown sources. Once granted, it extracts the main payload from an embedded JSON Packer and installs it onto the device. The trojan then seeks access to the Android Accessibility Services, a legitimate feature originally designed to assist users with disabilities.
In the hands of attackers, this mechanism becomes a powerful espionage and control tool — allowing them to read on-screen content, intercept keystrokes, and perform actions on behalf of the victim. This enables the malware to automatically initiate and complete banking transactions without the user’s knowledge.
One of Klopatra’s most dangerous capabilities is its ability to grant operators full real-time control of the infected device through a hidden VNC session. During such sessions, the victim’s screen displays a black background, creating the illusion that the phone is inactive or turned off. Meanwhile, attackers — armed with previously stolen PINs or unlock patterns — can open banking applications and execute rapid fund transfers.
To conceal its activity, Klopatra dims the device’s brightness to zero and overlays a black screen, ensuring that victims remain unaware of the ongoing intrusion. Most observed attacks occur at night, when phones are typically charging and their owners are asleep.
The malware also leverages accessibility permissions to grant itself additional privileges, prevent removal, and uninstall certain antivirus tools if present. Furthermore, it can download fake login interfaces for banking and cryptocurrency apps from its C2 server, seamlessly replacing legitimate screens to harvest credentials without detection.
Experts warn that although Klopatra introduces no radically new concepts, the combination of advanced code protection, stealth mechanisms, and operational sophistication makes it one of the most dangerous mobile banking trojans discovered in recent years. It represents a fusion of professional-grade security technologies and highly adaptive exploitation strategies — posing a severe threat to users of financial services.
Commenting on the situation, Google confirmed that none of the infected apps were distributed through the official Google Play Store. The company stated that Play Protect — enabled by default on all devices with Google Play services — can block or warn users about attempts to install known malicious versions, even when downloaded from third-party sources.
Support Our Threat Intelligence
If you find our technology report and cybersecurity news helpful, consider supporting our work.
Buy Me a Coffee
PayPal
