CyberHappenings logo
Home Browse About

Track cybersecurity events as they unfold. Sourced timelines. Filter, sort, and browse. Fast, privacy‑respecting. No invasive ads, no tracking.

Klopatra Android Trojan Conducts Nighttime Bank Transfers

First reported
Last updated
3 unique sources, 3 articles

Summary

Hide ▲

A new Android Trojan named Klopatra has been identified, capable of performing unauthorized bank transfers while the device is inactive. The malware targets users in Italy and Spain, with over 3,000 devices infected. Klopatra disguises itself as the Mobdro streaming app and IPTV applications, leveraging their popularity to bypass security measures. It employs advanced techniques to evade detection and analysis, including anti-sandboxing methods, a commercial packer, and Hidden Virtual Network Computing (VNC) for remote control. The Trojan operates during nighttime hours, draining victims' bank accounts without alerting them. Klopatra uses Accessibility Services to gain extensive control over the device, allowing attackers to simulate user interactions remotely. It captures screenshots, records screen activity, and overlays fake login screens to steal credentials. The malware checks for device inactivity and charging status before executing its operations, ensuring the victim remains unaware until the next day. The malware is operated by a Turkish-speaking criminal group as a private botnet, with 40 distinct builds discovered since March 2025. The malware integrates Virbox, a commercial-grade code protector, to obstruct reverse-engineering and analysis. It uses native libraries to reduce its Java/Kotlin footprint and employs NP Manager string encryption in recent builds. Klopatra features several anti-debugging mechanisms, runtime integrity checks, and emulator detection capabilities. The malware supports all required remote actions for performing manual bank transactions, including simulating taps, swiping, and long-pressing. Klopatra uses Cloudflare to hide its digital tracks, but a misconfiguration exposed origin IP addresses, linking the C2 servers to the same provider. The malware has been linked to two campaigns, each counting 3,000 unique infections.

Timeline

  1. 30.09.2025 23:28 3 articles · 7d ago

    Klopatra Trojan Conducts Nighttime Bank Transfers

    Klopatra integrates Virbox, a commercial-grade code protector, to obstruct reverse-engineering and analysis. It uses native libraries to reduce its Java/Kotlin footprint and employs NP Manager string encryption in recent builds. The malware features several anti-debugging mechanisms, runtime integrity checks, and emulator detection capabilities. Klopatra supports all required remote actions for performing manual bank transactions, including simulating taps, swiping, and long-pressing. The malware uses Cloudflare to hide its digital tracks, but a misconfiguration exposed origin IP addresses, linking the C2 servers to the same provider. The malware has been linked to two campaigns, each counting 3,000 unique infections.

    Show sources
    Open in new tab

Information Snippets

Similar Happenings

Datzbro Android Trojan Targeting Elderly via AI-Generated Facebook Events

A new Android banking trojan named Datzbro is targeting elderly users through AI-generated Facebook events. The malware, discovered in August 2025, conducts device takeover (DTO) attacks and performs fraudulent transactions. It exploits social engineering tactics to trick victims into downloading malicious APK files from fraudulent links. The threat actors behind Datzbro focus on users in Australia, Singapore, Malaysia, Canada, South Africa, and the U.K. The malware leverages Android's accessibility services to perform remote actions, record audio, capture photos, and steal credentials. It also includes features to hide malicious activities and steal device lock screen PINs and passwords associated with Alipay and WeChat. Datzbro is believed to be the work of a Chinese-speaking threat group, with its command-and-control (C2) backend being a Chinese-language desktop application. The malware has been distributed freely among cybercriminals after a compiled version of the C2 app was leaked.

Open in new tab

RatOn Android Malware with NFC Relay and ATS Banking Fraud Capabilities Detected

A new Android malware named RatOn has been detected. It combines NFC relay attacks, automated transfer system (ATS) capabilities, and account takeover functions targeting cryptocurrency wallets and banking apps. RatOn was first observed in July 2025 and has been actively developed since. The malware targets Czech and Slovakian-speaking users and leverages fake Play Store listings to distribute malicious dropper apps. RatOn requests extensive permissions to bypass security measures and deploy additional malware, including NFSkate, which performs NFC relay attacks. The malware can also execute ransomware-like attacks, locking devices and demanding cryptocurrency payments. RatOn's capabilities include account takeover of cryptocurrency wallets and automated money transfers using the George Česko banking app. The malware's operators demonstrate a deep understanding of the targeted applications, suggesting a well-resourced and sophisticated threat actor.

Open in new tab

Brokewell Android malware campaign targets cryptocurrency users via fake TradingView ads

A malware campaign is using fake TradingView ads on Meta’s advertising platforms to distribute the Brokewell Android malware. The campaign, active since at least July 22, targets cryptocurrency users and seeks to steal sensitive data, gain remote control of devices, and bypass two-factor authentication. The malware is delivered via a malicious APK file hosted on a fake TradingView site. The Brokewell malware features a broad set of capabilities, including data theft, remote monitoring, and control of compromised devices. It can steal cryptocurrency wallets, bank account details, and Google Authenticator codes. The malware also records screens and keystrokes, activates the camera and microphone, and tracks device locations. It can intercept SMS messages, including banking and 2FA codes, and execute remote commands via Tor or Websockets. The campaign is part of a larger operation that previously targeted Windows users with Facebook ads impersonating well-known brands.

Open in new tab

Malicious Android Apps with 19M Installs Removed from Google Play

Seventy-seven malicious Android apps, with over 19 million installs, were removed from Google Play. These apps delivered multiple malware families, including Anatsa (Tea Bot) banking trojan, Joker, Harly, and maskware. The apps were discovered by Zscaler's ThreatLabs team and included adware, credential theft, and other malicious functionalities. The malware targeted various banking and cryptocurrency apps, expanding its scope to include Germany and South Korea. The apps used various evasion techniques, including malformed APK archives, runtime DES-based string decryption, and emulation detection. Users are advised to enable Play Protect and take additional steps to secure compromised accounts.

Open in new tab

Cybercriminals exploit Lovable vibe coding service for malicious websites

Cybercriminals are increasingly abusing the Lovable vibe coding service to create malicious websites for phishing attacks, crypto scams, and other threats. Proofpoint researchers have identified tens of thousands of Lovable URLs involved in malicious activities since February 2025. The service, launched in late 2024, has been used to generate convincing and effective websites in minutes, lowering the barrier of entry into cybercrime. Lovable, based in Stockholm, Sweden, has been targeted by multiple campaigns leveraging its AI-powered platform to distribute MFA phishing kits, malware, and phishing kits targeting credit card and personal information. The company has responded by implementing new security protections, including Security Checker 2.0, an AI-powered platform safety program, and taking down hundreds of malicious domains. Since February, cybersecurity company Proofpoint observed tens of thousands of Lovable URLs that were delivered in email messages and were flagged as threats. Four malicious campaigns have been identified, including a large-scale operation using the phishing-as-a-service platform Tycoon, a payment and data theft campaign impersonating UPS, a cryptocurrency theft campaign impersonating Aave, and a malware delivery campaign distributing the remote access trojan zgRAT. Additionally, DPRK hackers have leveraged ClickFix-style lures to deliver BeaverTail and InvisibleFerret malware, targeting marketing and trader roles in cryptocurrency and retail sector organizations. The campaign uses a fake hiring platform web application created using Vercel to distribute the malware, which is delivered in the form of a compiled binary for Windows, macOS, and Linux systems.

Open in new tab