Klopatra
Klopatra is an Android banking trojan and remote access trojan (RAT) first observed in March 2025. It is described as a previously undocumented malware family with no confirmed links to known Android malware families, and reporting ties its operation to a Turkish-speaking cybercrime group. The malware has infected more than 3,000 devices, with the majority of reported infections in Spain and Italy, and broader targeting across Europe.
Klopatra is distributed outside Google Play via social-engineering lures, particularly a dropper disguised as an IPTV/VPN application named "Modpro IP TV + VPN." Victims are prompted to allow installation from unknown sources, after which the dropper installs the main payload. The malware abuses Android Accessibility Services to gain permissions, monitor the screen, capture user input, simulate taps and gestures, and automate actions on the victim device.
Its capabilities support both credential theft and full device takeover for banking fraud. Reported functions include dynamic overlay attacks against banking and cryptocurrency applications, screen monitoring, keystroke and clipboard exfiltration, gesture simulation, and hidden VNC/black-screen VNC remote control. The VNC capability allows operators to interact with the device while it appears locked, idle, or dark to the victim, enabling manual fraudulent transactions such as draining bank accounts. Operators reportedly check conditions such as whether the device is charging, the screen is off, or the device is idle before activating the black-screen mode. Klopatra also collects information related to cryptocurrency wallet applications.
Klopatra includes multiple stealth and anti-analysis features. Reported protections include Virbox commercial code protection, heavy use of native libraries, string encryption, anti-debugging, runtime integrity checks, and emulator detection. It also contains a hardcoded list of Android antivirus package names and attempts to uninstall targeted security products to evade detection.
Researchers reported roughly 40 distinct Klopatra builds within a few months, indicating rapid active development. Infrastructure analysis linked multiple command-and-control points to at least two campaigns, and shared infrastructure has also been noted with other Android malware families including Medusa and Perseus. High-confidence infection themes and indicators mentioned in the content include the "Modpro IP TV + VPN" lure, targeting of banking and cryptocurrency apps, abuse of Accessibility permissions, hidden/black-screen VNC functionality, and concentration of infections in Spain and Italy.
Hunt this family in your stack
Mallory pivots from this family to the IOCs, detections, and named campaigns that touch your stack, and pages you when something new lands.
Groups observed using it
1 distinct threat actor attributed by public researchers. Open in Mallory to see the full evidence chain and overlapping campaigns.
A previously undocumented Android banking trojan called Klopatra has compromised over 3,000 devices, with a majority of the infections reported in Spain and Italy.
Techniques & procedures
18 distinct techniques documented for this family, organized by ATT&CK tactic.
Execution
1 technique
Execution
Privilege Escalation
2 techniques
Privilege Escalation
Stealth
5 techniques
Stealth
Stealth tactics: Virbox code protection, anti-debugging, emulator detection, AV app uninstall attempts.
Disguised as an IPTV + VPN app (“Modpro IP TV + VPN”) outside Google Play.
Capabilities may include overlay attacks on banking apps... These features allow attackers to conduct unauthorized transactions with minimal user awareness.
Credential Access
4 techniques
Credential Access
Capabilities include screen monitoring, overlay attacks for credential theft, gesture simulation, and clipboard/keystroke exfiltration.
Capabilities include screen monitoring, overlay attacks for credential theft, gesture simulation, and clipboard/keystroke exfiltration.
Discovery
2 techniques
Discovery
Lateral Movement
1 technique
Lateral Movement
Collection
5 techniques
Collection
Capabilities include screen monitoring, overlay attacks for credential theft, gesture simulation, and clipboard/keystroke exfiltration.
Capabilities include screen monitoring, overlay attacks for credential theft, gesture simulation, and clipboard/keystroke exfiltration.
Capabilities include screen monitoring, overlay attacks for credential theft, gesture simulation, and clipboard/keystroke exfiltration.
Command and Control
2 techniques
Command and Control
Recent activity
14 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.
Referenced as an Android malware family known for using live hidden VNC for covert screen interaction or surveillance.
Referenced as another known malware family sharing infrastructure connections with Perseus.
Referenced as an Android banking malware family that similarly abuses Android Accessibility services for banking fraud/credential theft techniques.
An Android banking trojan that also functions as a RAT, infecting thousands of devices and used to gain unauthorized access to financial applications and steal credentials.
The version that knows your environment.
Match every observed IP, domain, and hash against your live telemetry.
Named campaigns wielding this family, with evidence pinned to each claim.
CVEs this family uses for access and lateral movement.
YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.
Every documented technique, ranked by evidence weight.
Reddit, Mastodon, and CTI community discussion around this family.