Cybersecurity experts are sounding the alarm for Android users regarding the Mobdro Pro IP TV + VPN application, which has been identified as a conduit for a malicious banking trojan. The Italian cybersecurity firm Cleafy recently unveiled the troubling details surrounding this seemingly innocuous app, which promises free access to high-quality IPTV channels alongside a virtual private network.
Upon closer examination, however, Cleafy’s findings reveal that Mobdro Pro IP TV + VPN serves as a sideloaded installer for Klopatra, a sophisticated Android banking trojan and remote-access tool (RAT) that has no known affiliations with existing malware families. Klopatra first came to light in late August 2025, during an investigation into a surge of attacks targeting mobile users across Europe.
The report indicates that the malware is currently being disseminated through two active botnets, primarily focusing on users in Spain and Italy, with nearly 3,000 confirmed infections thus far. Klopatra’s capabilities are alarming; once installed, it grants cybercriminals complete remote access to the victim’s device. This access allows attackers to read messages, pilfer sensitive login credentials, and execute fraudulent transactions directly from the compromised phone.
What sets Klopatra apart is its multi-stage infection chain, which heavily relies on social engineering tactics to manipulate victims into granting permissions that effectively surrender control of their devices. After installation, the app prompts users to enable Android Accessibility Services permissions—a legitimate feature designed to assist users with disabilities, yet one that can be exploited in malicious hands.
Cleafy’s report emphasizes the critical nature of these permissions: “Once the main Klopatra payload is installed, the real threat manifests,” they caution. “The malware immediately requests a wide range of permissions, but one is crucial for its success: the Android Accessibility Services permission.” By leveraging these permissions, Klopatra can autonomously read on-screen content, input actions, and navigate banking applications, enabling it to carry out fraudulent transfers while users remain oblivious.
This infection campaign capitalizes on a persistent trend among Android users: the practice of sideloading applications from unofficial sources to access pirated or “premium” content without cost. Mobdro Pro IP TV + VPN masquerades as a free streaming platform bundled with a VPN service, appealing to those seeking to bypass geo-blocks or access restricted channels. However, this convenience comes at a significant risk, as the app is distributed outside the Google Play Store, circumventing Google’s built-in security measures and leaving users vulnerable to serious threats.
Legitimate VPNs posing hidden risks
While Klopatra exemplifies an extreme case of a counterfeit VPN functioning as malware bait, experts caution that even legitimate VPN applications available on the Google Play Store can harbor substantial privacy and security risks. A recent VPN Transparency Report 2025 published by the Open Technology Fund highlighted significant deficiencies in several of the most popular VPNs worldwide.
The study scrutinized 32 commercial VPN providers and flagged several well-known services—such as TurboVPN, VPN Proxy Master, XY VPN, and 3X VPN – Smooth Browsing—as “concerning.” Each of these applications has amassed over 100 million downloads from the Google Play Store.
Researchers discovered that some of these VPNs misrepresent their security protocols, relying on Shadowsocks, a tunneling technology not intended for confidentiality, while falsely asserting robust encryption capabilities. The report underscores the importance of users conducting thorough research on the ownership and operational practices of their VPN providers, understanding the underlying technology, and carefully reviewing the privacy policies prior to installation.
