Overview

• Cleafy estimates roughly 3,000 Android devices have been infected in the current Klopatra campaign.
• Klopatra requests Accessibility Services to read screen content, capture inputs, and simulate taps and swipes, enabling fraudulent transactions.
• UK reports name the lure as “Modpro IP TV + VPN,” while Malwarebytes describes a similar sideloaded package labeled “Mobdro Pro IP TV + VPN.”
• Experts advise deleting suspicious VPN or IPTV apps, running a reputable security scan, and resetting banking credentials if compromise is suspected.
• Separate research highlights broader VPN risks on Google Play, citing opaque ownership, shared infrastructure, and use of Shadowsocks in popular apps such as Turbo VPN and VPN Proxy Master.