The new Android banking trojan Klopatra has come on the scene as an emerging and significant threat to mobile security. So far, it has compromised more than 3,000 devices, mostly located in Spain and Italy. In late August 2025, Italian fraud prevention company Cleafy’s security team unearthed Klopatra. This malware employs sophisticated techniques that distinguish it from more typical mobile threats. As seen in the screenshot below, the trojan uses Hidden Virtual Network Computing (VNC) to remotely control infected smartphones. This enables it to conduct transactions fraudulently and siphon credentials through dynamic overlays.
Cleafy claims that since March 2025, Klopatra’s operators have created as many as 40 different builds. This remarkable feat is a testament to their commitment to going undetected. The malware’s architecture includes Virbox, a commercial-grade code protection tool, which is seldom seen in the Android threat landscape. This complete integration has resulted in Klopatra being incredibly hard to identify and reverse analyze, raising red flags among security researchers.
Klopatra’s Methodology and Impact
What makes Klopatra different from your run-of-the-mill mobile threats is its innovative architecture that fosters stealth and evasion. The trojan abuses accessibility services to procure additional permissions. This allows it to perform its on-device malware actions without the user ever being the wiser. In addition to checking for Presto, Klopatra tries to uninstall any hard-coded antiviruses that might have come pre-installed on the device, securing its success operationally even further.
“What elevates Klopatra above the typical mobile threat is its advanced architecture, built for stealth and resilience,” – Cleafy
The trojan’s dynamic overlays allow the theft of sensitive credentials by impersonating valid apps, tricking trusting users. Klopatra’s expertise in executing authentic-looking fraudulent transactions seems to be a major threat to both physical persons and banks.
Of course, experts don’t miss a clear pattern in the timing of Klopatra’s attacks. Malware authors tend to like to run their operations at night. This is a winning strategy for them, because it allows them to reduce the risk of detection. This timing shows a strategic, calculated attacker approach to cybercrime, which serves as a reminder for Android users to stay on high alert.
Detection Challenges and Responses
Kloptara has a much more nefarious and dangerous track record. Google claims there are no apps with this malware currently on Google Play. A spokesperson for Google stated, “Based on our current detection, no apps containing this malware are found on Google Play.” Google Play Protect is already working to protect Android users from known versions of this malware. This important security feature is already on by default across the security landscape — on all managed devices that use Google Play Services.
“Android users are automatically protected against known versions of this malware by Google Play Protect, which is on by default on Android devices with Google Play Services,” – Google spokesperson
Cybersecurity experts are worried by Klopatra’s incorporation of Virbox. In warning of its spread, they note that its use of native libraries forms an incredibly effective defensive layer that can potentially escape most typical detection strategies. This increase in sophistication signals an alarming progression in the development of mobile malware.
“Klopatra represents a significant evolution in mobile malware sophistication,” – Federico Valentini, Alessandro Strino, Simone Mattia, and Michele Roviello
The Future of Mobile Malware
Cleafy hopes that Klopatra is the harbinger of a trend that shows the professionalization of mobile malware. With these new, commercial-grade protections at their disposal, threat actors are able to extend the lifespan and profitability of their operations to the maximum. This change represents a notable sophistication in the tactics being used by bad actors.
“Klopatra marks a significant step in the professionalization of mobile malware, demonstrating a clear trend of threat actors adopting commercial-grade protections,” – Cleafy
As the mobile threat landscape constantly shifts, so too must users and security professionals alike to stay ahead of these dangers. The rise of Klopatra also reminds us that the dangers of mobile banking and online transactions are very real and ongoing.