Full Report
A new Android banking and remote access trojan (RAT) dubbed Klopatra disguised as an IPTV and VPN app has infected more than 3,000 devices across Europe. [...]
Analysis Summary
# Tool/Technique: Klopatra RAT
## Overview
Klopatra is a new, powerful Android Remote Access Trojan (RAT) and banking trojan that disguises itself as an IPTV and VPN application. Its primary goal is to steal banking credentials, exfiltrate sensitive data, and drain cryptocurrency wallets by providing attackers with hands-on, remote control over the infected device, notably through a hidden Virtual Network Computing (VNC) mode.
## Technical Details
- Type: Malware family (Banking Trojan/RAT)
- Platform: Android
- Capabilities: Real-time screen monitoring, input capture, simulated gesture navigation, VNC remote control, overlay attacks for credential harvesting, clipboard and keystroke exfiltration, cryptocurrency wallet information collection, and AV disabling.
- First Seen: March 2025
## MITRE ATT&CK Mapping
The described capabilities map best to the following, though a comprehensive mapping would require further analysis of all features:
- **TA0001 - Initial Access**
- T1189 - Drive-by Compromise (Implied via non-Play Store distribution)
- **TA0005 - Defense Evasion**
- T1027 - Obfuscated Files or Information (Via Virbox, string encryption)
- T1070.004 - Indicator Removal: File Deletion (Attempts to uninstall AV)
- **TA0006 - Credential Access**
- T1003.002 - OS Credential Dumping: Credentials from Web Browsers (Implied via overlay attacks)
- **TA0007 - Discovery**
- T1082 - System Information Discovery (Implied by data collection)
- **TA0008 - Lateral Movement** (Not explicitly detailed, but remote access enables this)
- **TA0009 - Collection**
- T1119 - Automated Collection (Screen monitoring, input capture)
- **TA0011 - Command and Control**
- T1071.001 - Application Layer Protocol: Web Protocols (Use of HTTP/S for C2)
- **TA0015 - Lateral Movement**
- T1218 - Signed Binary Proxy Execution (Not explicitly detailed, but common in RATs)
- **TA0016 - Privilege Escalation**
- T1548.002 - Abuse Elevation Control Mechanism: System Settings (Abusing Accessibility service)
## Functionality
### Core Capabilities
- **Banking Fraud:** Steals credentials via overlay attacks targeting financial applications.
- **Data Exfiltration:** Captures clipboard content and keystrokes.
- **Account Draining:** Facilitates bank account draining, potentially by executing manual transactions.
- **Evasion:** Uses commercial code protector Virbox, native libraries, NP Manager string encryption, anti-debugging checks, runtime integrity checks, and emulator detection.
- **Persistence/Control:** Abuses the Android Accessibility service to gain high-level permissions, simulate user interaction (taps/gestures), and monitor screens.
### Advanced Features
- **Hidden VNC Mode:** Allows operators to remotely control the device, simulating taps on specific screen coordinates, horizontal/vertical swipes, and long presses. This mode is specifically activated when the device is idle (screen locked or charging) to ensure victim unawareness.
- **AV Disabling:** Maintains a hardcoded list of known Android antivirus packages and actively attempts to uninstall them.
## Indicators of Compromise
- File Hashes: [Not provided in the text]
- File Names: Dropper advertised as "Modpro IP TV + VPN" APK.
- Registry Keys: [Not applicable to Android focus]
- Network Indicators: Operates C2 infrastructure hidden behind Cloudflare; origin IPs have been exposed, linking infrastructure to the same provider.
- Behavioral Indicators: Attempts to gain Accessibility Service permissions; checks if the screen is off or the device is charging before initiating VNC control; enumerates and attempts to delete specified AV packages; heavy reliance on simulating touch inputs.
## Associated Threat Actors
- A Turkish-speaking cybercrime group (based on language artifacts and development notes).
- Linked to approximately 3,000 unique infections across Europe since March 2025.
## Detection Methods
- Signature-based detection: Identification of the specific Klopatra hashes or known C2 domains (if they become public).
- Behavioral detection: Detection of applications requesting Accessibility Service permissions without legitimate need, attempts to enumerate or uninstall system applications (especially security software), and unusual remote input simulation when the device appears idle.
- YARA rules: [Not provided in the text]
## Mitigation Strategies
- Avoid downloading and sideloading APK files from unofficial or obscure websites.
- Exercise extreme caution when prompted to grant the Accessibility Service permission, rejecting any requests from unfamiliar applications.
- Keep Google Play Protect active and up-to-date on all Android devices.
- Maintain strong security awareness regarding social engineering techniques used to trick users into installing IPTV/VPN disguised malware.
## Related Tools/Techniques
- Other Android Banking Trojans utilizing Accessibility Services (e.g., SharkBot, FluBot).
- Use of VNC or similar screen-sharing technology for remote desktop access deployed in malware (less common than standard RAT protocols in mobile malware).