- Klopathra malware steals bank and cryptographic data, even when the screen is off
- Distributed through the False IPTV+VPN application, request accessibility permits for complete device control
- Use virbox, anti-defugging and encryption to evade detection and analysis
Cybersecurity researchers, Cleafy, discovered a powerful Android Trojan capable of stealing money from bank applications, stealing wallet crypto and even using the device while the screen is off.
Klopathra, an android malware apparently built by a Turkish threat actor, does not resemble anything that is already available, which means that the tool was probably built from scratch. First it was seen in March 2025, and since then it has experienced 40 iterations, which means that the group is actively working and developing malware.
Klopathra is being distributed through independent and malicious pages, instead of Google Play Store. Use a dropper called Modpro IP TV + VPN, which aims to be an IPTV and VPN application. Once the dropper is installed, he implements Klopatra that, as usual for malicious applications, requests accessibility services permits.
Thousands of victims
These permits allow computer pirates to simulate touches, read screen content, steal credentials and control applications in silence, among other things.
In addition to stealing money, data and people’s toy on the phone, Klopathra also has a list of codified Android antivirus names, which then crossed references with the device and tries to disable.
Malware also makes additional effort to avoid being detected and analyzed.
Use Virbox, a legitimate platform for the protection of software and licenses, which defends applications against privacy, reverse engineering and unauthorized use.
In this case, Virbox was used to prevent cybersecurity researchers from being reverse engineering and analyzing malware. In addition, it uses native libraries to carry its use of Java and Kotlin to a minimum, and recently began using NP Manager chain encryption.
The researchers said that the malware comes with multiple anti-fonds mechanisms, integrity controls in execution time and the ability to detect when it is executed in an emulator, which prevents researchers from dissecting it.
Until now, at least 3,000 devices throughout Europe are infected, Cleafy said.
