Ptechhub
  • News
  • Industries
    • Enterprise IT
    • AI & ML
    • Cybersecurity
    • Finance
    • Telco
  • Brand Hub
    • Lifesight
  • Blogs
No Result
View All Result
  • News
  • Industries
    • Enterprise IT
    • AI & ML
    • Cybersecurity
    • Finance
    • Telco
  • Brand Hub
    • Lifesight
  • Blogs
No Result
View All Result
PtechHub
No Result
View All Result

New Android Banking Trojan “Klopatra” Uses Hidden VNC to Control Infected Smartphones

The Hacker News by The Hacker News
October 1, 2025
Home Cybersecurity
Share on FacebookShare on Twitter


A previously undocumented Android banking trojan called Klopatra has compromised over 3,000 devices, with a majority of the infections reported in Spain and Italy.

Italian fraud prevention firm Cleafy, which discovered the sophisticated malware and remote access trojan (RAT) in late August 2025, said it leverages Hidden Virtual Network Computing (VNC) for remote control of infected devices and dynamic overlays for facilitating credential theft, ultimately enabling fraudulent transactions.

“Klopatra represents a significant evolution in mobile malware sophistication,” security researchers Federico Valentini, Alessandro Strino, Simone Mattia, and Michele Roviello said. “It combines extensive use of native libraries with the integration of Virbox, a commercial-grade code protection suite, making it exceptionally difficult to detect and analyze.”

Evidence gathered from the malware’s command-and-control (C2) infrastructure and linguistic clues in the associated artifacts suggests that it is being operated by a Turkish-speaking criminal group as a private botnet, given the absence of a public malware-as-a-service (MaaS) offering. As many as 40 distinct builds have been discovered since March 2025.

Attack chains distributing Klopatra employ social engineering lures to trick victims into downloading dropper apps that masquerade as seemingly harmless tools, such as IPTV applications, allowing the threat actors to bypass security defences and completely take control of their mobile devices.

DFIR Retainer Services

Offering the ability to access high-quality TV channels as a lure is a deliberate choice, as pirated streaming applications are popular among users, who are often willing to install such apps from untrusted sources, thus unwittingly infecting their phones in the process.

The dropper app, once installed, requests the user to grant it permissions to install packages from unknown sources. Upon obtaining this permission, the dropper extracts and installs the main Klopatra payload from a JSON Packer embedded within it. The banking trojan is no different from other malware of its kind, seeking permission to Android’s accessibility services to realize its goals.

While accessibility services is a legitimate framework designed to assist users with disabilities to interact with the Android device, it can be a potent weapon in the hands of bad actors, who can abuse it to read contents of the screen, record keystrokes, and perform actions on behalf of the user to conduct fraudulent transactions in an autonomous manner.

“What elevates Klopatra above the typical mobile threat is its advanced architecture, built for stealth and resilience,” Cleafy said. “The malware authors have integrated Virbox, a commercial-grade code protection tool rarely seen in the Android threat landscape. This, combined with a strategic shift of core functionalities from Java to native libraries, creates a formidable defensive layer.”

“This design choice drastically reduces its visibility to traditional analysis frameworks and security solutions, applying extensive code obfuscation, anti-debugging mechanisms, and runtime integrity checks to hinder analysis.”

Besides incorporating features to maximize evasion, resilience, and operational effectiveness, the malware provides operators with granular, real-time control over the infected device using VNC features that are capable of serving a black screen to conceal the malicious activity, such as executing banking transactions without their knowledge.

Klopatra also uses the accessibility services to grant itself additional permissions as required to prevent the malware from being terminated, and attempts to uninstall any hard-coded antivirus apps already installed on the device. Furthermore, it can launch fake overlay login screens atop financial and cryptocurrency apps to siphon credentials. These overlays are delivered dynamically from the C2 server when the victim opens one of the targeted apps.

It’s said the human operator actively engages in fraud attempts over what’s described as a “carefully orchestrated sequence” that involves first checking if the device is charging, the screen is off, and is currently not being actively used.

If these conditions are met, a command is issued to reduce the screen brightness to zero and display a black overlay, giving the impression to the victim that the device is inactive and off. In the background, however, the threat actors use the device PIN or pattern previously stolen to gain unauthorized access, launch the targeted banking app, and drain the funds through multiple instant bank transfers.

CIS Build Kits

The findings show that although Klopatra doesn’t try to reinvent the wheel, it poses a serious threat to the financial sector owing to a technically advanced assemblage of features to obfuscate its true nature.

“Klopatra marks a significant step in the professionalization of mobile malware, demonstrating a clear trend of threat actors adopting commercial-grade protections to maximize the lifespan and profitability of their operations,” the company said.

“The operators show a clear preference for conducting their attacks during the night. This timing is strategic: the victim is likely asleep, and their device is often left charging, ensuring it remains powered on and connected. This provides the perfect window for the attacker to operate undetected.”

The development comes a day after ThreatFabric flagged a previously undocumented Android banking trojan called Datzbro that can conduct device takeover (DTO) attacks and perform fraudulent transactions by preying on the elderly.



Source link

Tags: computer securitycyber attackscyber newscyber security newscyber security news todaycyber security updatescyber updatesdata breachhacker newshacking newshow to hackinformation securitynetwork securityransomware malwaresoftware vulnerabilitythe hacker news
The Hacker News

The Hacker News

Next Post
Boards lack AI savvy as adoption advances: PwC

Boards lack AI savvy as adoption advances: PwC

Recommended.

Future-Proofing Business Continuity: BCDR Trends and Challenges for 2025

Future-Proofing Business Continuity: BCDR Trends and Challenges for 2025

March 13, 2025
Analysis: No Matter How Google Deal Turns Out, Wiz Wins

Analysis: No Matter How Google Deal Turns Out, Wiz Wins

June 16, 2025

Trending.

⚡ Weekly Recap: Oracle 0-Day, BitLocker Bypass, VMScape, WhatsApp Worm & More

⚡ Weekly Recap: Oracle 0-Day, BitLocker Bypass, VMScape, WhatsApp Worm & More

October 6, 2025
Cloud Computing on the Rise: Market Projected to Reach .6 Trillion by 2030

Cloud Computing on the Rise: Market Projected to Reach $1.6 Trillion by 2030

August 1, 2025
Stocks making the biggest moves midday: Autodesk, PayPal, Rivian, Nebius, Waters and more

Stocks making the biggest moves midday: Autodesk, PayPal, Rivian, Nebius, Waters and more

July 14, 2025
The Ultimate MSP Guide to Structuring and Selling vCISO Services

The Ultimate MSP Guide to Structuring and Selling vCISO Services

February 19, 2025
Translators’ Voices: China shares technological achievements with the world for mutual benefit

Translators’ Voices: China shares technological achievements with the world for mutual benefit

June 3, 2025

PTechHub

A tech news platform delivering fresh perspectives, critical insights, and in-depth reporting — beyond the buzz. We cover innovation, policy, and digital culture with clarity, independence, and a sharp editorial edge.

Follow Us

Industries

  • AI & ML
  • Cybersecurity
  • Enterprise IT
  • Finance
  • Telco

Navigation

  • About
  • Advertise
  • Privacy & Policy
  • Contact

Subscribe to Our Newsletter

  • About
  • Advertise
  • Privacy & Policy
  • Contact

Copyright © 2025 | Powered By Porpholio

No Result
View All Result
  • News
  • Industries
    • Enterprise IT
    • AI & ML
    • Cybersecurity
    • Finance
    • Telco
  • Brand Hub
    • Lifesight
  • Blogs

Copyright © 2025 | Powered By Porpholio