New Android Banking Trojan "Klopatra" Uses VNC to Control Smartphones

A newly discovered Android banking trojan and remote access tool (RAT), dubbed Klopatra, is disguising itself as an IPTV and VPN application. The malware has already infected more than 3,000 devices and gives attackers near-complete control of compromised smartphones.

Capabilities and Features

Klopatra can track the device’s screen in real time, intercept user input, simulate navigation gestures, and operate in a hidden VNC (Virtual Network Computing) mode. This mode allows attackers to remotely drain bank accounts by manually performing transactions, while the victim sees only a locked or inactive screen.

According to researchers at Cleafy, who first identified the malware, Klopatra does not appear connected to any previously documented Android malware families. Instead, it seems to be the work of a Turkish hacker group.

The trojan is designed to:

• Steal banking credentials using overlays
• Intercept keystrokes and clipboard data
• Collect information on cryptocurrency wallet apps
• Uninstall popular antivirus apps detected on the device

Distribution and Evasion

The infection vector is a dropper app called “Modpro IP TV + VPN,” distributed outside the official Google Play Store.

Klopatra employs multiple techniques to avoid analysis and detection, including:

• Virbox, a commercial product that hinders reverse engineering
• Native libraries to reduce Java/Kotlin footprints
• NP Manager for string encryption
• A hardcoded list of antivirus package names, which it attempts to uninstall

The malware also abuses Android’s Accessibility Service to gain extended privileges, monitor user activity, and simulate taps and gestures.

How VNC Mode Works

One of Klopatra’s most dangerous features is its stealth VNC mode. The malware activates it when the phone is charging and the screen is off, reducing the chance that a user will notice unusual activity. Attackers can then remotely control the device—simulating taps, swipes, and long presses to execute fraudulent transactions.

Scale and Activity

Cleafy researchers uncovered several command-and-control (C&C) servers tied to at least two separate campaigns. Together, these have already led to over 3,000 unique infections.

Since its first appearance in March 2025, Klopatra has gone through roughly 40 different builds—clear evidence of active development and rapid evolution.