New Android banking trojan hijacks thousands of phones

Published: 1 October 2025
android banking trojan Kleopatra
Image by Cybernews

A previously unknown Android malware strain is targeting thousands of banking customers across southern Europe, potentially stealing their hard-earned cash.

In late August 2025, security researchers from Cleafy’s Threat Intelligence team discovered Klopatra, a new Android Remote Access Trojan (RAT).

According to data provided by the researchers, the malware, already active in Spain and Italy, has compromised more than 3,000 devices through two coordinated botnets since the campaigns began in March 2025.

ADVERTISEMENT

Masquerading as a pirate TV app

The attackers prey on users searching for pirate TV streaming apps. The malware masquerades as an IPTV application called "Mobdro Pro IP TV + VPN.”

Such applications are not allowed on the Google Play Store, so it is easier to trick users into downloading them from unknown sources. Once installed, the application convinces the user to grant critical permissions on the device.

To achieve this, the app presents a simple user interface with a button inviting users to "continue with the installation." Tapping this button redirects the user to Android's system settings and instructs them to grant the permission.

Android banking trojan
Source: Cleafy

Malware attacks bank accounts

Once deployed, the trojan acts as both banking malware and a remote access tool. It can take full control of an infected device with the Virtual Network Computing (VNC) feature, which allows attackers to access and control the infected device in real time.

The attacker can navigate through apps, enter PINs and passwords, and make money transactions without the victim noticing anything suspicious.

ADVERTISEMENT

A huge threat to Europe

A technical analysis of the malware shows a high level of sophistication. The developers integrated Virbox, a commercial-grade code protection suite rarely seen in mobile malware, to protect the trojan from detection.

Instead of using standard Java code, attackers used native libraries, adding another defensive layer against reverse engineering and automated analysis tools.

Cleafy’s researchers analyzed samples of the malware and are convinced that the threat actor behind the malware is of Turkish origin.

The operational notes discovered within the code suggest the threat actor not only develops the malware but also manages the full attack chain, from infection to monetization.

jurgita justinasv Izabelė Pukėnaitė vilius Ernestas Naprys Gintaras Radauskas
Don't miss our latest stories on Google News. Add us as your Preferred Source on Google
Follow us

“Klopatra represents a significant and sophisticated threat to the financial sector and mobile device users, particularly in Europe,” wrote the researchers in their report.

Tracking Klopatra’s activity over recent months, Cleafy identified more than 40 distinct builds in circulation, reflecting a fast-moving development cycle.

“The agility shown by its rapid development cycle suggests that the operators will continue to refine their TTPs, expand their target list, and integrate new evasion techniques to stay one step ahead of the security community,” the researchers concluded.

ADVERTISEMENT

Unlock more exclusive Cybernews content on YouTube.

Share
Post
Share
Share
Share
More from Cybernews
By participating in this viral trend, you help train AI where it struggles the most
Windows hibernation may contribute to SSD wear as storage costs rise
UFO skeptic Michael Shermer apologizes to David Grusch
Man tries to make a sale on Facebook Marketplace, gets scammed out of $300 via Zelle
Critical FFmpeg flaw discovered: just watching a video can fully compromise your system
The world's top intelligence alliance: AI could supercharge cyberattacks within months
ADVERTISEMENT