Klopatra: New Android Trojan Drains Bank Accounts via Hidden VNC

Newly discovered Android banking Remote Access Trojan (RAT), dubbed Klopatra, has compromised more than 3,000 devices in Spain and Italy. Security researchers from Cleafy revealed that Klopatra uses hidden Virtual Network Computing (VNC) to give attackers full remote control over infected smartphones.

How Klopatra Works

Klopatra spreads through malicious dropper apps disguised as IPTV streaming tools. Once installed, these apps trick users into granting permissions to install from unknown sources. The trojan then abuses Android accessibility services to read screens, capture keystrokes, and even perform transactions without the user’s knowledge.

The malware goes further by:

• Displaying fake overlay login screens on banking and crypto apps to steal credentials.
• Using stolen device PINs to unlock phones at night while users sleep.
• Lowering screen brightness to zero and showing a fake black screen, making the device appear “off” while attackers perform transfers in the background.
• Uninstalling antivirus apps and granting itself additional permissions to remain undetected.

What makes Klopatra especially dangerous is its professional-grade code protection. By using tools like Virbox and shifting much of its functionality from Java to native libraries, the malware is harder to detect and analyze.

Why It Matters

Klopatra isn’t the first Android trojan, but it signals a worrying trend: threat actors are now using commercial-grade software protection solutions to hide, protect. and extend the lifespan of their malware. This makes the identification, containment, eradication, and remediation of these financial crimes more difficult, time consuming, and costly to society. Combined with the effectiveness of this attack at silently draining bank accounts and we have a highly impactful threat to the world.

Google confirmed that Klopatra has not been found on Google’s Play Store and that Google Play Protect blocks known variants. Consequently, the risk here comes from downloading apps outside official sanctioned and reviewed marketplaces.

How to Protect Yourself

• Avoid third-party app stores and only install apps from Google’s Play Store.
• Manage app permissions carefully. Be suspicious if apps request accessibility permissions without a valid reason.
• Use mobile security solutions that can detect trojans.
• Enable Google Play Protect (on by default for Android devices).
• Stay informed through articles like this. Perform your assigned cybersecurity awareness training.

How CyberHoot Can Help

With ongoing awareness training, phishing simulations, and dark web monitoring, CyberHoot empowers organizations to turn their users into a powerful first line of defense against these threats.

Our training includes:

• Recognizing and avoiding phishing attempts in a fun, positive, reward driven approach (as opposed to punishment and shame).
• Learning about safe mobile app best practices and security.
• Using password managers and multi-factor authentication to prevent damage from stolen credentials.
• Adopting passkeys for stronger, phishing-resistant logins.

Sources and Additional Reading:

The Hacker News: New Android Banking Trojan “Klopatra” Uses Hidden VNC to Control Infected Smartphones

---

Secure your business with CyberHoot Today!!!