Cleafy: Klopatra — Android banking trojan disguised as a free VPN

Security firm Cleafy has published a report on Klopatra, a sophisticated Android banking trojan distributed by an app posing as “Mobdro Pro IP + VPN.” The app guides users through an apparent installation wizard that actually hands the attacker extensive control over the device. Klopatra abuses Android Accessibility services to operate as the user, access banking apps, drain accounts, and recruit devices into a botnet.

Key points

• Malware name: Klopatra
• Delivery: Fake app “Mobdro Pro IP + VPN” (often from unofficial sources)
• Technique: Social engineering + Accessibility abuse to perform transactions and install further payloads
• Impact: Cleafy reports roughly 3,000 devices affected, mainly in Italy and Spain; the actor is likely Turkey-based and actively evolving its tactics.

How it infects

The malicious app requests dangerous permissions and accessibility rights during a convincing “installer” flow. Once granted, Klopatra can:

• Open and operate banking apps as if it were the user
• Make fraudulent transfers and drain accounts
• Add the device to a botnet for further attacks

How to protect yourself

• Only install VPNs and streaming/IPTV apps from Google Play or the official App Store.
• Avoid sideloading APKs from third-party sites or unknown sources.
• Carefully review app permissions; don’t grant Accessibility or install-from-unknown-sources unless you fully trust the app and vendor.
• Use reputable VPN providers — example trusted options: Proton VPN, hide.me.
• Keep your OS and apps updated; use a reputable mobile security app to scan for threats.
• If you suspect infection: disable Accessibility permissions for unknown apps immediately, run a malware scan, change banking passwords from a clean device, contact your bank, and consider a factory reset if compromise is confirmed.

Sources

Primary analysis: Cleafy report on Klopatra

If you’ve seen suspicious VPN or IPTV apps, share the app name below so others can avoid them.