A previously undocumented Android banking trojan called Klopatra has compromised more than 3,000 devices, with a majority of infections reported in Spain and Italy. Italian fraud prevention firm Cleafy, which discovered the malware and a remote access trojan (RAT) in late August 2025, said it leverages Hidden Virtual Network Computing (VNC) for remote control and dynamic overlays to facilitate credential theft and fraudulent transactions.
Cleafy researchers Federico Valentini, Alessandro Strino, Simone Mattia and Michele Roviello said Klopatra combines extensive use of native libraries with integration of Virbox, a commercial-grade code protection suite, and that these choices make the malware difficult to detect and analyse.
The company said attack chains distribute Klopatra through social engineering lures that trick victims into installing dropper apps masquerading as benign tools such as IPTV applications. The dropper requests permission to install packages from unknown sources, extracts the main payload from an embedded JSON packer and seeks permission to Android’s accessibility services, which can be abused to read the screen, record input and perform actions to enable fraud.
Cleafy said the malware shifts core functionality from Java to native libraries, applies extensive code obfuscation, anti-debugging and runtime integrity checks via Virbox, and aims to reduce visibility to traditional analysis frameworks and security solutions.
The company said operators are given granular, real-time control over infected devices using VNC features that can serve a black screen to conceal activity while fraud is executed. Klopatra also attempts to grant itself additional permissions using accessibility services, tries to uninstall certain hard-coded antivirus apps, delivers dynamic overlay login screens over targeted financial and cryptocurrency apps, and checks device state – such as whether the device is charging and the screen is off – before issuing commands to steal PINs or patterns and perform transfers.
Cleafy said as many as 40 distinct builds have been discovered since March 2025 and that evidence from command-and-control infrastructure and linguistic clues suggest the operation is run by a Turkish-speaking group as a private botnet rather than a public malware-as-a-service. The report noted the development came a day after another researcher group flagged a different Android trojan called Datzbro.