A new Android banking and remote access trojan (RAT) dubbed Klopatra disguised as an IPTV and VPN app has infected more than 3,000 devices across Europe.
Klopatra is described as a powerful trojan that can monitor the screen in real time, capture input, simulate gesture navigation, and features a hidden Virtual Network Computing (VNC) mode.
Researchers at cybersecurity company Cleafy say that the new trojan does not appear to be connected to any documented Android malware families and appears to be the project of a Turkish-speaking cybercrime group.
Klopatra was developed to steal banking credentials via overlay attacks, exfiltrate clipboard content and keystrokes, drain accounts over VNC, and collect cryptocurrency wallet app info.
A stealthy, evasive threat
The malware infiltrates victims’ devices through a dropper app called “Modpro IP TV + VPN,” which is distributed outside of the official Google Play platform for Android.
The Klopatra installation process
Source: Cleafy Labs
Klopatra integrates Virbox, a commercial-grade code protector that obstructs reverse-engineering and analysis, uses native libraries to reduce its Java/Kotlin footprint, and also NP Manager string encryption in recent builds.
Cleafy reports that the malware features several anti-debugging mechanisms, runtime integrity checks, and emulator detection capabilities, to ensure it’s not running in an analysis environment.
... continue reading