Close Menu
  • Home
  • Identity
  • Inventions
  • Future
  • Science
  • Startups
  • Spanish
What's Hot

Chinese threat group Jewelbug secretly infiltrated Russian IT networks for months

F5 breach exposes BIG-IP source code — state hackers behind massive intrusion

The AI Revolution: Beyond Superintelligence – TwinH Leads the Charge in Personalized, Secure Digital Identities

Facebook X (Twitter) Instagram
  • Home
  • About Us
  • Advertise with Us
  • Contact Us
  • DMCA
  • Privacy Policy
  • Terms & Conditions
  • User-Submitted Posts
Facebook X (Twitter) Instagram
Fyself News
  • Home
  • Identity
  • Inventions
  • Future
  • Science
  • Startups
  • Spanish
Fyself News
Home » New Android Banking Trojan “Klopatra” uses hidden VNC to control infected smartphones
Identity

New Android Banking Trojan “Klopatra” uses hidden VNC to control infected smartphones

userBy userOctober 1, 2025No Comments4 Mins Read
Share Facebook Twitter Pinterest Telegram LinkedIn Tumblr Email Copy Link
Follow Us
Google News Flipboard
Share
Facebook Twitter LinkedIn Pinterest Email Copy Link

Android Banking Trojan

A previously undocumented Android Banking Trojan called Cropatra has compromised over 3,000 devices, with the majority of infections reported in Spain and Italy.

Cleafy, an Italian fraud prevention company that discovered sophisticated malware and remote access trojans (RATs) in late August 2025, leverages hidden virtual network computing (VNC) for remote control of infected devices, leveraging dynamic overlays to promote theft of qualifications, ultimately enabling fraudulent procedures.

“Cropatra represents a significant evolution in mobile malware refinement,” said security researchers Federico Valentini, Alessandro Storino, Simone Mattia and Michele Loviello. “The extensive use of native libraries combined with the integration of Virbox, a commercial-grade code protection suite, makes detection and analysis extremely difficult.”

Evidence gathered from linguistic cues of malware command and control (C2) infrastructure and associated artifacts suggests that it is operated as a private botnet by Turkish-speaking criminal groups, given the lack of provision of Malware as a Service (MAAS) as a Public Malware. Since March 2025, up to 40 different builds have been discovered.

The attack chain distributing Klopatra uses social engineering lures to trick victims into downloading dropper apps that equip them with seemingly harmless tools such as IPTV applications and allow threat actors to bypass security defenses and to have full control over their mobile devices.

DFIR Retainer Service

Pirated streaming applications are popular among users, so the ability to access high-quality TV channels as lures is an intentional choice. Users want to install such apps from untrusted sources, and thus unconsciously infect their phones in the process.

Once installed, the Dropper app will ask the user to grant permission to install packages from unknown sources. Once you have this permission, Dropper will extract and install the main Klopatra payload from the JSON packer embedded within it. Bank Trojans are no different from other malware of this kind. We are fulfilling our goals by seeking permission from Android accessibility services.

Accessibility services are a legitimate framework designed to help disabled users interact with Android devices, but it can become a powerful weapon that can misuse it and make fraudulent transactions in an automatic way, in order to read screen content, record keystrokes, and perform actions to perform actions on your behalf.

“What outweighs Cropatra’s typical mobile threat is the sophisticated architecture built for stealth and resilience,” Kleef said. “The author of malware integrates Virbox, a commercial-grade code protection tool that is rarely seen in the Android threat landscape. This, combined with a strategic shift in core functionality from Java to native libraries, creates a frightening layer of defense.”

“This design choice significantly reduces visibility into traditional analytical frameworks and security solutions, and disrupts analysis by applying extensive code obfuscation, non-development mechanisms and runtime integrity checks.”

In addition to incorporating features to maximize evasion, resilience and operational effectiveness, malware provides operators with granular and real-time control of infected devices using the VNC feature, which can provide a black screen to hide malicious activity, such as running bank transactions without knowledge.

Klopatra also attempts to use the Accessibility Service to grant additional permissions as needed to prevent malware from terminating, and uninstall hard-coded antivirus apps already installed on your device. Additionally, you can launch a fake overlay login screen on top of your financial and cryptocurrency apps to launch your Siphon credentials. These overlays are delivered dynamically from the C2 server when the victim opens one of the target apps.

Human operators are said to be actively involved in attempts at fraud on what is called a “carefully organized sequence,” which first checks whether the device is charging, the screen is off and is not currently being actively used.

If these conditions are met, a command is issued to reduce the screen brightness to zero and display a black overlay, giving the victim the impression that the device is inactive and off. However, in the background, threat actors use previously stolen device pins or patterns to obtain unauthorized access, launch targeted bank apps, and discharge funds through multiple instant bank transfers.

CIS Build Kit

The findings show that Cropatra is not trying to reinvent the wheel, but poses a serious threat to the financial sector with a collection of technically sophisticated functions to obfuscate its true nature.

“Klopatra is a key step in the specialization of mobile malware, and shows a clear trend for threat actors to adopt commercial grade protection to maximize business life and profitability,” the company said.

“Operators clearly prefer to attack at night. This timing is strategic. The victim is likely to be asleep, and the device remains charged, powered on and connected.

This development comes the next day, called Datzbro, known as the Android Banking Trojan horse, where the threat fabric has not been previously documented.


Source link

#BlockchainIdentity #Cybersecurity #DataProtection #DigitalEthics #DigitalIdentity #Privacy
Follow on Google News Follow on Flipboard
Share. Facebook Twitter Pinterest LinkedIn Tumblr Email Copy Link
Previous ArticleWater Quality Education and Training for Professionals
Next Article Diagnosis dilemma: A woman suffered an unusual bruise from a massage gun. It turns out she had scurvy.
user
  • Website

Related Posts

Chinese threat group Jewelbug secretly infiltrated Russian IT networks for months

October 15, 2025

F5 breach exposes BIG-IP source code — state hackers behind massive intrusion

October 15, 2025

The AI Revolution: Beyond Superintelligence – TwinH Leads the Charge in Personalized, Secure Digital Identities

October 15, 2025
Add A Comment
Leave A Reply Cancel Reply

Latest Posts

Chinese threat group Jewelbug secretly infiltrated Russian IT networks for months

F5 breach exposes BIG-IP source code — state hackers behind massive intrusion

The AI Revolution: Beyond Superintelligence – TwinH Leads the Charge in Personalized, Secure Digital Identities

Apple upgrades iPad Pro, MacBook Pro, Vision Pro with new M5 chip

Trending Posts

Subscribe to News

Subscribe to our newsletter and never miss our latest news

Please enable JavaScript in your browser to complete this form.
Loading

Welcome to Fyself News, your go-to platform for the latest in tech, startups, inventions, sustainability, and fintech! We are a passionate team of enthusiasts committed to bringing you timely, insightful, and accurate information on the most pressing developments across these industries. Whether you’re an entrepreneur, investor, or just someone curious about the future of technology and innovation, Fyself News has something for you.

The AI Revolution: Beyond Superintelligence – TwinH Leads the Charge in Personalized, Secure Digital Identities

Revolutionize Your Workflow: TwinH Automates Tasks Without Your Presence

FySelf’s TwinH Unlocks 6 Vertical Ecosystems: Your Smart Digital Double for Every Aspect of Life

Beyond the Algorithm: How FySelf’s TwinH and Reinforcement Learning are Reshaping Future Education

Facebook X (Twitter) Instagram Pinterest YouTube
  • Home
  • About Us
  • Advertise with Us
  • Contact Us
  • DMCA
  • Privacy Policy
  • Terms & Conditions
  • User-Submitted Posts
© 2025 news.fyself. Designed by by fyself.

Type above and press Enter to search. Press Esc to cancel.