
A previously undocumented Android Banking Trojan called Cropatra has compromised over 3,000 devices, with the majority of infections reported in Spain and Italy.
Cleafy, an Italian fraud prevention company that discovered sophisticated malware and remote access trojans (RATs) in late August 2025, leverages hidden virtual network computing (VNC) for remote control of infected devices, leveraging dynamic overlays to promote theft of qualifications, ultimately enabling fraudulent procedures.
“Cropatra represents a significant evolution in mobile malware refinement,” said security researchers Federico Valentini, Alessandro Storino, Simone Mattia and Michele Loviello. “The extensive use of native libraries combined with the integration of Virbox, a commercial-grade code protection suite, makes detection and analysis extremely difficult.”
Evidence gathered from linguistic cues of malware command and control (C2) infrastructure and associated artifacts suggests that it is operated as a private botnet by Turkish-speaking criminal groups, given the lack of provision of Malware as a Service (MAAS) as a Public Malware. Since March 2025, up to 40 different builds have been discovered.
The attack chain distributing Klopatra uses social engineering lures to trick victims into downloading dropper apps that equip them with seemingly harmless tools such as IPTV applications and allow threat actors to bypass security defenses and to have full control over their mobile devices.

Pirated streaming applications are popular among users, so the ability to access high-quality TV channels as lures is an intentional choice. Users want to install such apps from untrusted sources, and thus unconsciously infect their phones in the process.
Once installed, the Dropper app will ask the user to grant permission to install packages from unknown sources. Once you have this permission, Dropper will extract and install the main Klopatra payload from the JSON packer embedded within it. Bank Trojans are no different from other malware of this kind. We are fulfilling our goals by seeking permission from Android accessibility services.
Accessibility services are a legitimate framework designed to help disabled users interact with Android devices, but it can become a powerful weapon that can misuse it and make fraudulent transactions in an automatic way, in order to read screen content, record keystrokes, and perform actions to perform actions on your behalf.

“What outweighs Cropatra’s typical mobile threat is the sophisticated architecture built for stealth and resilience,” Kleef said. “The author of malware integrates Virbox, a commercial-grade code protection tool that is rarely seen in the Android threat landscape. This, combined with a strategic shift in core functionality from Java to native libraries, creates a frightening layer of defense.”
“This design choice significantly reduces visibility into traditional analytical frameworks and security solutions, and disrupts analysis by applying extensive code obfuscation, non-development mechanisms and runtime integrity checks.”
In addition to incorporating features to maximize evasion, resilience and operational effectiveness, malware provides operators with granular and real-time control of infected devices using the VNC feature, which can provide a black screen to hide malicious activity, such as running bank transactions without knowledge.

Klopatra also attempts to use the Accessibility Service to grant additional permissions as needed to prevent malware from terminating, and uninstall hard-coded antivirus apps already installed on your device. Additionally, you can launch a fake overlay login screen on top of your financial and cryptocurrency apps to launch your Siphon credentials. These overlays are delivered dynamically from the C2 server when the victim opens one of the target apps.
Human operators are said to be actively involved in attempts at fraud on what is called a “carefully organized sequence,” which first checks whether the device is charging, the screen is off and is not currently being actively used.
If these conditions are met, a command is issued to reduce the screen brightness to zero and display a black overlay, giving the victim the impression that the device is inactive and off. However, in the background, threat actors use previously stolen device pins or patterns to obtain unauthorized access, launch targeted bank apps, and discharge funds through multiple instant bank transfers.

The findings show that Cropatra is not trying to reinvent the wheel, but poses a serious threat to the financial sector with a collection of technically sophisticated functions to obfuscate its true nature.
“Klopatra is a key step in the specialization of mobile malware, and shows a clear trend for threat actors to adopt commercial grade protection to maximize business life and profitability,” the company said.
“Operators clearly prefer to attack at night. This timing is strategic. The victim is likely to be asleep, and the device remains charged, powered on and connected.
This development comes the next day, called Datzbro, known as the Android Banking Trojan horse, where the threat fabric has not been previously documented.
Source link