Ethical Hacking News
A new Android banking trojan called Klopatra has been discovered, which uses hidden VNC to control infected smartphones. The malware is considered sophisticated, with advanced architecture that includes commercial-grade code protection tools. It has compromised over 3,000 devices, primarily in Spain and Italy, and poses a significant threat to the financial sector due to its technically advanced methods for obfuscating its true nature.
Klopatra, a new Android banking trojan, uses hidden VNC to control infected smartphones. The malware has compromised over 3,000 devices, primarily in Spain and Italy. The threat actors are believed to be a Turkish-speaking criminal group operating as a private botnet. The malware distributes itself through social engineering lures, tricking victims into downloading dropper apps. Klopatra uses Android's accessibility services to read screen contents, record keystrokes, and perform actions on behalf of the user. The malware can drain funds through multiple instant bank transfers without the victim's knowledge.
Android banking trojans have long been a concern for mobile security, as they pose a significant threat to users' financial information. Recently, a new Android banking trojan called Klopatra has been discovered, which uses hidden VNC (Virtual Network Computing) to control infected smartphones. The malware is considered sophisticated, with advanced architecture that includes commercial-grade code protection tools, making it difficult to detect and analyze.
According to Cleafy, an Italian fraud prevention firm, the malware has compromised over 3,000 devices, with a majority of the infections reported in Spain and Italy. The threat actors behind Klopatra have leveraged Hidden Virtual Network Computing (VNC) for remote control of infected devices and dynamic overlays to facilitate credential theft, ultimately enabling fraudulent transactions.
The malware's command-and-control (C2) infrastructure and linguistic clues in the associated artifacts suggest that it is being operated by a Turkish-speaking criminal group as a private botnet. This group does not offer the malware as a service, but rather uses it for personal gain. The researchers found that there are 40 distinct builds of Klopatra since March 2025.
The attack chains distributing Klopatra employ social engineering lures to trick victims into downloading dropper apps that masquerade as seemingly harmless tools, such as IPTV applications. This allows the threat actors to bypass security defenses and completely take control of their mobile devices. The dropper app requests permission from the user to install packages from unknown sources. Once this permission is granted, the dropper extracts and installs the main Klopatra payload from a JSON Packer embedded within it.
The banking trojan seeks permission to Android's accessibility services to realize its goals. While accessibility services is a legitimate framework designed to assist users with disabilities to interact with their devices, it can be a potent weapon in the hands of bad actors. The malware can abuse this feature to read contents of the screen, record keystrokes, and perform actions on behalf of the user to conduct fraudulent transactions.
The human operator actively engages in fraud attempts over what's described as a "carefully orchestrated sequence" that involves first checking if the device is charging, the screen is off, and is currently not being actively used. If these conditions are met, a command is issued to reduce the screen brightness to zero and display a black overlay, giving the impression to the victim that the device is inactive and off.
In the background, however, the threat actors use the device PIN or pattern previously stolen to gain unauthorized access, launch the targeted banking app, and drain the funds through multiple instant bank transfers. The findings show that Klopatra does not try to reinvent the wheel but poses a significant threat to the financial sector owing to its technically advanced assemblage of features.
The operators of Klopatra prefer conducting their attacks during the night, which is strategic because the victim is likely asleep, and their device is often left charging. This provides the perfect window for the attacker to operate undetected. The development comes a day after ThreatFabric flagged a previously undocumented Android banking trojan called Datzbro that can conduct device takeover (DTO) attacks and perform fraudulent transactions by preying on the elderly.
The emergence of Klopatra highlights the professionalization of mobile malware, demonstrating a clear trend of threat actors adopting commercial-grade protections to maximize the lifespan and profitability of their operations. The use of advanced code obfuscation, anti-debugging mechanisms, and runtime integrity checks makes it challenging for security solutions to detect and analyze this malware.
The rise of sophisticated Android banking trojans like Klopatra underscores the need for mobile users to be vigilant when downloading apps from untrusted sources. Moreover, it emphasizes the importance of regular software updates and security patches to protect against such threats. As the threat landscape continues to evolve, it is essential for individuals and organizations to stay informed about emerging risks and take proactive measures to safeguard their devices and financial information.
Summary:
A new Android banking trojan called Klopatra has been discovered, which uses hidden VNC to control infected smartphones. The malware is considered sophisticated, with advanced architecture that includes commercial-grade code protection tools. It has compromised over 3,000 devices, primarily in Spain and Italy, and poses a significant threat to the financial sector due to its technically advanced methods for obfuscating its true nature.
Related Information:
https://www.ethicalhackingnews.com/articles/New-Android-Banking-Trojan-Klopatra-Reveals-Sophisticated-Methods-for-Control-and-Fraud-ehn.shtml
https://thehackernews.com/2025/10/new-android-banking-trojan-klopatra.html
https://thehackernews.com/2025/09/new-android-trojan-datzbro-tricking.html
https://malware.news/t/datzbro-rat-hiding-behind-senior-travel-scams/99588
https://www.socinvestigation.com/comprehensive-list-of-apt-threat-groups-motives-and-attack-methods/
https://breach-hq.com/threat-actors
Published: Wed Oct 1 05:25:38 2025 by llama3.2 3B Q4_K_M
