Klopatra¶
Klopatra is a sophisticated Android banking trojan discovered by Cleafy in August 2025, operated by a Turkish-origin threat actor managing the full attack chain from development to fraud execution. The malware combines hidden VNC for remote device control with dynamic overlay attacks. It is notably protected by Virbox, a commercial Chinese packer rarely seen in Android malware, and has shifted core functionality from Java to native libraries. At the time of discovery, operators had compromised over 3,000 devices across two botnets targeting Spain and Italy.
Overview¶
| Attribute | Details |
|---|---|
| First Seen | August 2025 |
| Status | Active |
| Type | Banking trojan, device takeover |
| Attribution | Turkish-origin threat actor |
| Distribution | Fake "Mobdro Pro IP TV + VPN" app |
| Protection | Virbox commercial packer |
Origin and Lineage¶
Cleafy's analysis traces Klopatra's operations to a Turkish-origin threat actor who manages the full attack chain. The family appears to be an independently developed project without direct code lineage to known banking trojan families.
The attribution to Turkish-speaking actors places Klopatra alongside Frogblight, another Turkish banking trojan discovered in 2025 with possible connections to the Coper/Exobot ecosystem. While no direct code relationship between Klopatra and Frogblight has been established, both represent active Turkish-origin threats emerging in the same timeframe with distinct technical approaches: Frogblight uses custom keyboard keylogging while Klopatra relies on hidden VNC and native code.
Distribution¶
| Vector | Details |
|---|---|
| Fake application | "Mobdro Pro IP TV + VPN" impersonating the defunct Mobdro streaming app |
| Sideloading | Distributed outside the official Google Play Store |
Cleafy documented the use of a fake "Mobdro Pro IP TV + VPN" application as the delivery vehicle. Mobdro was a popular free streaming application that was shut down, making it an effective lure since users searching for the app would encounter the malicious version.
Capabilities¶
Core Features¶
| Capability | Implementation |
|---|---|
| Hidden VNC | Remote device control invisible to the victim |
| Dynamic overlay attacks | Phishing overlays injected over target banking apps |
| Native library execution | Core functionality shifted from Java to native code |
| Screen blackout | Device screen manipulation during remote fraud operations |
| Nighttime operation | Operators prefer attacking while victims sleep with phones charging |
Hidden VNC¶
Klopatra implements hidden VNC (Virtual Network Computing) for remote device control, allowing operators to interact with the infected device in real time. Unlike screen streaming approaches used by families like Octo (which streams screenshots at 1 frame per second), VNC provides a more responsive remote session. The VNC implementation is hidden from the victim, with no visible indicators of the remote session.
Dynamic Overlay Attacks¶
The overlay attack capability dynamically injects phishing pages over target banking applications. When the victim opens a banking app, Klopatra detects the foreground application and displays a convincing phishing overlay to capture credentials. The dynamic nature means overlay content is served from C2 infrastructure rather than bundled in the APK, allowing operators to update and add new targets without rebuilding the malware.
Nighttime Attack Pattern¶
Cleafy noted a distinctive operational preference: Klopatra operators favor conducting fraud during nighttime hours when victims are sleeping and their phones are charging. This timing is strategic for several reasons:
- The victim is unlikely to notice screen activity or device manipulation
- The device is connected to power, ensuring it stays operational during extended fraud sessions
- Banking app session timeouts are the only constraint on the operation window
- Notifications generated during fraud are less likely to be seen immediately
Technical Details¶
Native Code Migration¶
Klopatra has shifted core functionality from Java to native libraries, a significant anti-analysis measure. Cleafy's analysis documented this architectural choice:
- Critical logic executes in compiled native code (C/C++) rather than Dalvik bytecode
- Native libraries are harder to decompile and analyze compared to Java/Kotlin code
- This raises the barrier for security researchers performing static analysis
- Dynamic analysis tools that hook Java methods may miss native function calls
Virbox Packer¶
Klopatra is protected by Virbox, a commercial Chinese software protection tool. Virbox is widely used for legitimate software protection but is rarely encountered in Android malware:
- Virbox applies code virtualization and encryption to the APK
- The packer complicates static analysis by obfuscating the application's code
- Its rarity in the Android malware ecosystem means security tools may have less robust unpacking support compared to commonly abused packers
- The choice of a commercial packer rather than custom obfuscation suggests the operators prioritize reliable protection over operational security of the development toolchain
C2 Infrastructure¶
Specific C2 protocol details were documented by Cleafy's research. The infrastructure supports real-time VNC sessions and dynamic overlay delivery, requiring persistent connectivity between the infected device and the operator's panel.
Two-Botnet Architecture¶
Cleafy identified two separate botnets operated by the same threat actor:
| Botnet | Target Region | Compromised Devices |
|---|---|---|
| Botnet 1 | Spain | Part of 3,000+ total |
| Botnet 2 | Italy | Part of 3,000+ total |
The separation into regional botnets allows operators to maintain distinct overlay kits, C2 configurations, and operational schedules tuned to each target country.
Target Regions¶
| Region | Status | Details |
|---|---|---|
| Spain | Primary target | Dedicated botnet |
| Italy | Primary target | Dedicated botnet |
Cleafy's report documents Spain and Italy as the two target regions, each served by a separate botnet. With over 3,000 compromised devices across both botnets, Klopatra represents a focused but sizable operation.
Notable Campaigns¶
August 2025: Cleafy publishes their discovery of Klopatra, documenting a Turkish-origin banking trojan with hidden VNC, dynamic overlays, and Virbox packer protection. Over 3,000 devices are already compromised across two botnets targeting Spain and Italy. The operators' preference for nighttime attacks is identified as a distinctive operational pattern.
Related Families¶
Klopatra's combination of hidden VNC and overlay attacks places it in the same capability tier as Hook, which offers VNC-based remote access alongside its Cerberus-derived banking trojan features. Vultur similarly uses screen streaming (via AlphaVNC) for device takeover. The native code migration pattern is shared with the latest versions of Medusa, which also moved critical components to native libraries in its v2 rewrite.
The Turkish attribution connects Klopatra to a broader trend of Turkish-origin Android malware, alongside Frogblight and the Turkish-speaking operator groups behind Medusa. Each takes a different technical approach, but all target European banking customers.
The use of the Virbox commercial packer is a distinctive choice that sets Klopatra apart from most Android banking trojans, which typically use custom packers or open-source obfuscation tools.