A newly identified Android banking and remote access trojan (RAT) known as Klopatra has infected more than 3,000 devices across Europe, according to security researchers who analyzed the campaign. The malware is distributed via a sideloaded dropper app called Modpro IP TV + VPN and combines automated overlay theft with a human-operated, stealthy remote-control capability that enables direct manipulation of victim devices for financial fraud.
Klopatra’s operators designed the malware to harvest banking credentials, exfiltrate clipboard contents and keystrokes, gather cryptocurrency wallet information and execute manual transfers through a hidden Virtual Network Computing (VNC) mode. The VNC capability can operate in a “black-screen” state that hides operator activity from the device owner: while the phone appears locked or idle, attackers can simulate taps, swipes and long presses at precise screen coordinates to complete transactions in banking and wallet applications.
“Klopatra gives operators hands-on, stealthy access to infected devices through a black-screen VNC mode while harvesting credentials and keystrokes via Accessibility abuses.”
The dropper is distributed outside official app stores, leveraging the lure of IPTV and VPN functionality to prompt users to install an APK from third-party sites. Once installed, the payload abuses Android’s Accessibility service to escalate privileges: it captures user input, monitors the screen in real time, simulates gestures, and grants itself additional controls that bypass normal permission constraints. The malware also monitors device state — including whether the screen is off or the device is charging — to select moments for activating remote control that minimize the chance of detection.
Klopatra incorporates multiple evasion and hardening techniques. The malware bundles a commercial code protector to frustrate reverse engineering, relies heavily on native libraries to reduce its visible Java/Kotlin footprint, and uses string encryption mechanisms in recent builds. Analysts observed anti-debugging routines, runtime integrity checks and emulator-detection logic that are designed to ensure the code does not run in analyst sandboxes. The threat also contains a hardcoded list of package names for popular Android antivirus products and attempts to uninstall or disable defensive apps when detected.
Researchers attribute the campaign to a Turkish-speaking threat cluster based on language artifacts and development notes found during analysis. The operator infrastructure shows active development and rapid iteration: analysts recorded roughly 40 distinct builds since the malware first appeared earlier in the year. Investigators linked multiple command-and-control nodes to two separate campaigns and found that a misconfiguration in the operators’ use of a content-delivery service exposed origin IP addresses that helped map the backend infrastructure.
The combined use of automated overlays and hands-on remote control creates a dual monetization model that complicates detection and response. Overlay attacks allow automated credential capture when users interact with banking apps; the VNC channel then enables operators to complete manual transfers or approve multi-step processes that would otherwise be flagged by automated fraud controls. Because the VNC mode can be activated while the screen is off, human-driven transactions can evade many heuristics that rely on user-visible activity.
Security implications extend beyond individual victims. The campaign’s size and sophistication indicate a mature operation that can adapt delivery methods, harden payloads and refine evasion tactics. The utilization of commercial protection tools and native-code components increases analysis difficulty and accelerates operator iteration, raising the bar for defenders who must deconstruct samples to develop effective countermeasures.
Recommendations for users and organizations focus on limiting the attack surface and detecting behavioral signs of compromise. End users are advised to avoid downloading APKs from untrusted sources, decline Accessibility Service permission requests from unfamiliar apps, and keep device protections such as built-in malware scanning and automatic updates enabled. Financial institutions and mobile security teams should prioritize multi-factor authentication for high-value accounts, instrument detection for unusual VNC or remote-control traffic, and deploy behavioral analytics to identify overlay and keystroke-capture activity. Organizations with mobile workforces should restrict sideloading via device management controls and audit installed apps for unauthorized Accessibility permissions.
Detection and disruption also require cross-sector collaboration. Mobile security vendors, banks and regional incident-response teams should establish fast reporting channels to share indicators of compromise, block malicious distribution URLs, and coordinate takedowns of command-and-control infrastructure when attribution is possible. Because the campaign blends automated and manual fraud techniques, banks must be prepared to act quickly when suspicious transactions are reported and to freeze accounts pending investigation.
While law enforcement notifications and financial-sector interventions have mitigated some abuse observable in telemetry, the ongoing evolution of Klopatra underscores that mobile-on-device fraud remains an active and scalable threat. Analysts warn that operators will likely continue refining delivery lures, tightening evasion mechanisms and expanding their geographic reach unless distribution vectors are disrupted and user hygiene improves.
For now, defenders’ immediate priorities are clear: limit sideloading, lock down Accessibility approvals, reinforce multi-factor protections on financial apps, and monitor for anomalous remote-control connections that could indicate a black-screen VNC session in progress. Sustained reduction of victim impact will require both technical controls on devices and rapid information sharing between mobile security researchers and financial institutions.
