Particle.news

Download on the App Store

Klopatra Android Banking RAT Hits 3,000 Devices in Spain and Italy

Researchers say it blends Virbox protection with native code to thwart detection.

Overview

  • Klopatra gives operators hands-on control via Hidden VNC, using a black-screen trick and stolen PINs to execute nighttime transfers while devices appear idle.
  • The campaign spreads through droppers posing as IPTV or VPN tools such as the “Modpro IP TV + VPN” app obtained outside Google Play, which then installs the payload from an embedded JSON packer.
  • The malware abuses Android accessibility features for full device control, serves dynamic overlays to harvest credentials, and attempts to uninstall hard‑coded antivirus apps.
  • Technical hardening includes extensive native libraries, Virbox-based code protection, anti-debugging and emulator checks, reducing visibility to traditional static analysis.
  • Cleafy links the operation to a Turkish-speaking group running a private botnet, with two active campaigns and more than 40 builds observed since March 2025.