"A previously undocumented Android banking trojan called Klopatra has compromised over 3,000 devices, with a majority of the infections reported in Spain and Italy. Italian fraud prevention firm Cleafy, which discovered the sophisticated malware and remote access trojan (RAT) in late August 2025, said it leverages Hidden Virtual Network Computing (VNC) for remote control of infected devices and dynamic overlays for facilitating credential theft, ultimately enabling fraudulent transactions."
""Klopatra represents a significant evolution in mobile malware sophistication," security researchers Federico Valentini, Alessandro Strino, Simone Mattia, and Michele Roviello said. "It combines extensive use of native libraries with the integration of Virbox, a commercial-grade code protection suite, making it exceptionally difficult to detect and analyze." Evidence gathered from the malware's command-and-control (C2) infrastructure and linguistic clues in the associated artifacts suggests that it is being operated by a Turkish-speaking criminal group as a private botnet, given the absence of a public malware-as-a-service (MaaS) offering."
Klopatra is an Android banking trojan that has infected over 3,000 devices, predominantly in Spain and Italy. Cleafy discovered the malware in late August 2025 and identified it as a remote access trojan using Hidden VNC for remote control and dynamic overlays to steal credentials and enable fraudulent transactions. The malware extensively uses native libraries and employs Virbox code protection, hindering detection and analysis. Evidence from C2 infrastructure and linguistic artifacts indicates operation by a Turkish-speaking criminal group as a private botnet, with around 40 builds identified since March 2025. Distribution relies on IPTV-themed dropper apps that request installation permissions and install the main Klopatra payload.
Read at The Hacker News
Unable to calculate read time
Collection
[
|
...
]