Cybersecurity researchers from Cleafy have unveiled a sophisticated Android trojan known as Klopatra, which poses a significant threat to banking and cryptocurrency users. This malware is capable of pilfering funds from banking applications and stealing cryptocurrency from hot wallets, all while the device’s screen remains off.
Technical Sophistication of Klopatra
Klopatra, attributed to a Turkish threat actor, stands out due to its unique construction, suggesting it was developed from the ground up rather than being a mere variation of existing malware. Since its initial detection in March 2025, the trojan has undergone 40 iterations, indicating ongoing enhancements and refinements by its creators.
The malware is distributed through a deceptive application called Modpro IP TV + VPN, masquerading as a legitimate IPTV and VPN service. Upon installation, this dropper activates Klopatra, which, like many malicious applications, requests Accessibility Services permissions to gain extensive control over the device.
- Evading Detection: Klopatra employs a range of advanced techniques to elude detection and analysis. It utilizes Virbox, a legitimate software protection platform, to safeguard its code against reverse engineering and unauthorized access.
- Minimizing Exposure: The malware minimizes its use of Java and Kotlin by leveraging native libraries, which complicates analysis further. Recently, it has also incorporated NP Manager string encryption to obscure its operations.
- Anti-Debugging Features: Klopatra is equipped with multiple anti-debugging mechanisms and runtime integrity checks, along with the capability to detect when it is being run in an emulator, effectively thwarting attempts by researchers to dissect its functionality.
As of now, Cleafy reports that at least 3,000 devices across Europe have fallen victim to this malware, highlighting the urgent need for enhanced cybersecurity measures among users of banking and cryptocurrency applications.
