A new Android malware family, dubbed Klopatra, is being distributed inside fake VPN and IPTV apps — a campaign that weaponizes users’ appetite for free VPNs and streaming tools to install a banking-trojan and remote-access toolkit. Discovered by Cleafy’s threat-intelligence team, Klopatra has been active since at least March 2025 and is notable for its sophistication: remote VNC-style control, dynamic overlays to steal credentials, and anti-analysis measures that make it hard to detect and dissect.
How Klopatra works (the technical playbook)
Klopatra’s operators distribute the malware through sideloaded or malicious landing-page APKs that masquerade as legitimate VPN/IPTV apps (one observed dropper was named Mobdro Pro IP TV + VPN). Once installed, the dropper grants Klopatra elevated capabilities by abusing Android Accessibility Services and other permissions — enabling the malware to:
Display dynamic overlay screens that mimic bank or payment apps and capture credentials.
Use a hidden VNC mode to provide attackers hands-on remote control of an infected device, even when the screen is off — letting them operate apps and approve transactions.
Evade analysis by embedding protections (Virbox), encrypting strings, employing native libraries, and checking for emulation. These measures indicate active, well-resourced development.
Cleafy’s analysis shows the operation is modular and actively evolving — the malware underwent dozens of updates during 2025, suggesting the authors are iterating quickly to avoid detection and expand capabilities.
Real-world impact so far
Researchers report Klopatra campaigns compromised thousands of devices across Europe (Cleafy’s telemetry points to more than 3,000 infections clustered in Spain and Italy), and security vendors including Broadcom and Malwarebytes have issued alerts describing the malware’s banking-trojan and RAT functionality. The combination of credential theft (via overlays) and direct remote control makes financial theft and account takeover straightforward for an attacker with access to an infected device.
Malwarebytes’ write-up ties specific APK droppers (VPN/IPTV branded) to Klopatra, noting the campaign’s goal of draining bank accounts and stealthily disabling mobile security apps. That real-world payload — financial theft and persistent remote access — elevates Klopatra beyond nuisance adware into a high-impact criminal tool.
Why VPN demand helps the attackers
Users seeking free VPNs or IPTV apps tend to sideload APKs or follow links from non-official sites — behavior Klopatra’s operators exploit. Unlike Play Store apps that undergo some level of automated scanning and policy checks, sideloaded apps and “store clones” are a far easier vector for dropping malicious payloads. The current market — abundant free VPN offers, many with opaque origins — creates a rich hunting ground for malware authors.
How Klopatra avoids detection
Klopatra authors use multiple anti-analysis techniques: they ship native code to keep the malicious logic out of Java/Kotlin traces, encrypt strings and configuration files, employ third-party packers (Virbox) to frustrate static analysis, and detect emulator environments to skip behaviors during researcher inspection. These tactics slow down defenders and lengthen the time the campaign remains active in the wild. (cleafy.com)
Practical advice: protect yourself right now
Never sideload APKs from untrusted sites. Only install apps from the Google Play Store or verified vendor channels. If an offer seems “too good to be true” (free unlimited VPN + IPTV), treat it as suspicious.
Check app provenance and reviews carefully. Look for publisher verification, consistent branding, and many recent trustworthy reviews — but be aware that attackers use fake reviews and polished listings.
Limit Android Accessibility permissions. Only grant Accessibility to apps you absolutely trust; it’s a favorite vector for malware to automate actions and read screen content.
Use reputable mobile security tools and keep Google Play Protect enabled; run scans if you suspect a sideloaded app might be malicious.
Monitor financial accounts and enable MFA. If you installed suspicious apps, change passwords and enable multi-factor authentication on sensitive accounts; contact your bank if you notice unusual transactions.
Expert perspective
Cleafy’s write-up emphasizes the “banking trojan + remote access” combination makes Klopatra uniquely dangerous: “Klopatra couples dynamic overlays with a hidden VNC backdoor and advanced evasion, enabling large-scale fraud campaigns,” their researchers wrote. Security analysts warn that campaigns like Klopatra are likely to continue as long as user demand for free VPN/IPTV apps — and the sideloading behavior that accompanies it — persists.
Conclusion
The Klopatra campaign is a textbook example of how attackers weaponize user demand for convenience and free services. Disguised as VPN or IPTV apps, the malware turns privacy tools into surveillance and theft platforms. For users, the lesson is clear: avoid sideloading, be skeptical of “free VPN/IPTV” offers, and protect accounts with strong authentication. For defenders and app stores, Klopatra underlines the need for faster detection of malicious droppers and better user education to reduce risky install behavior.
