CyberHappenings logo
Home Browse Watchlists Experimental About

Track cybersecurity events as they unfold. Sourced timelines. Filter, sort, and browse. Fast, privacy‑respecting. No invasive ads, no tracking.

Klopatra Android Trojan Conducts Nighttime Bank Transfers

First reported
Last updated
3 unique sources, 5 articles

Summary

Hide ▲

A new Android banking malware, Massiv, is posing as an IPTV app to steal digital identities and access online banking accounts. The malware targets users in Spain, Portugal, France, and Turkey, with a particular focus on a Portuguese government app connected to Chave Móvel Digital. Massiv uses screen overlays, keylogging, SMS interception, and remote control to obtain sensitive data and can open new accounts in the victim's name for money laundering and loans. The malware provides two remote control modes: screen live-streaming and UI-tree mode, which extracts structured data from the Accessibility Service. This trend of using IPTV apps as lures for Android malware infections has increased over the past eight months. Previously, the Klopatra Android Trojan was identified, capable of performing unauthorized bank transfers while the device is inactive. Klopatra targets users in Italy and Spain, with over 3,000 devices infected. It disguises itself as the Mobdro streaming app and IPTV applications, leveraging their popularity to bypass security measures. The malware employs advanced techniques to evade detection and analysis, including anti-sandboxing methods, a commercial packer, and Hidden Virtual Network Computing (VNC) for remote control. Klopatra operates during nighttime hours, draining victims' bank accounts without alerting them.

Timeline

  1. 19.02.2026 12:00 2 articles · 13h ago

    Massiv malware targets Portuguese government app

    Massiv malware targets a Portuguese government app that connects with Chave Móvel Digital, stealing digital identities and accessing online banking accounts. The malware can open new accounts in the victim's name for money laundering and loans. Massiv provides two remote control modes: screen live-streaming and UI-tree mode, which extracts structured data from the Accessibility Service. The malware uses IPTV apps as lures for Android malware infections, primarily targeting users in Spain, Portugal, France, and Turkey. Massiv uses screen streaming through Android's MediaProjection API, keylogging, SMS interception, and fake overlays to steal credentials. It employs UI-tree mode to bypass screen capture protections by building a JSON representation of visible text and UI elements. Massiv is distributed via dropper apps mimicking IPTV apps through SMS phishing. The malware is equipped to perform a wide range of malicious actions, including enabling black overlays, sending device information, performing click and swipe actions, altering clipboard text, disabling black screens, turning on/off screen streaming, unlocking devices, serving overlays, downloading ZIP archives with overlays, downloading and installing APK files, opening settings screens, requesting permissions, and clearing log databases. Massiv's operator shows signs of transitioning to a Malware-as-a-Service model, introducing API keys for malware communication with the backend.

    Show sources
    Open in new tab
  2. 30.09.2025 23:28 3 articles · 4mo ago

    Klopatra Trojan Conducts Nighttime Bank Transfers

    Klopatra integrates Virbox, a commercial-grade code protector, to obstruct reverse-engineering and analysis. It uses native libraries to reduce its Java/Kotlin footprint and employs NP Manager string encryption in recent builds. The malware features several anti-debugging mechanisms, runtime integrity checks, and emulator detection capabilities. Klopatra supports all required remote actions for performing manual bank transactions, including simulating taps, swiping, and long-pressing. The malware uses Cloudflare to hide its digital tracks, but a misconfiguration exposed origin IP addresses, linking the C2 servers to the same provider. The malware has been linked to two campaigns, each counting 3,000 unique infections.

    Show sources
    Open in new tab

Information Snippets

Similar Happenings

Keenadu Android Backdoor Discovered in Firmware and Google Play Apps

A sophisticated Android malware called Keenadu has been discovered embedded in firmware from multiple device brands and distributed through various vectors, including Google Play apps. The malware provides attackers with unrestricted control over infected devices, enabling broad-range data theft and other malicious activities. As of February 2026, 13,715 devices have been confirmed infected, primarily in Russia, Japan, Germany, Brazil, and the Netherlands. The malware's capabilities include compromising all installed applications, installing any apps from APK files, and monitoring user activities, including incognito browsing. Kaspersky researchers compare Keenadu to the Triada malware family, which was found in counterfeit Android devices last year. Keenadu has been detected in Alldocube iPlay 50 mini Pro firmware dating back to August 18, 2023, and is embedded within tablet firmware with valid digital signatures. The malware has also been found in smart home camera apps on Google Play with 300,000 downloads, which are no longer available.

Open in new tab

ZeroDayRAT Malware Targets Android and iOS Devices

A new commercial spyware platform, ZeroDayRAT, is being advertised on Telegram, offering full remote control over compromised Android (versions 5–16) and iOS (up to version 26) devices. The malware provides extensive surveillance capabilities, including real-time tracking, data theft, and financial fraud. It can log app usage, SMS messages, and notifications, activate cameras and microphones, and steal cryptocurrency and banking credentials. ZeroDayRAT is marketed through Telegram channels and infections are initiated by persuading victims to install malicious binaries via smishing, phishing emails, counterfeit app stores, and links shared through WhatsApp or Telegram. The malware includes a dedicated web-based dashboard displaying device details, app usage, SMS messages, and live activity timeline. It also includes a crypto stealer and targets online banking apps, UPI platforms, and payment services like Apple Pay and PayPal. The malware is sold openly on Telegram with access to a panel featuring sales, customer support, and platform updates channels. ZeroDayRAT support spans Android 5 through 16 and iOS up to 26, and it provides a complete overview of the phone's makeup, including device model, SIM, location data, carrier info, live activity timeline, and recent SMS messages. The malware includes features such as SMS control, keylogger, microphone feed, screen recorder, bank stealer, and crypto stealer. ZeroDayRAT is priced at $2,000, indicating higher-than-average ambitions and targeting specific individuals or enterprises. The malware represents a convergence of nation-state-level capabilities with criminal economics, widening the target market for surveillance malware.

Open in new tab

Android Malware Campaign Abuses Hugging Face Platform

A new Android malware campaign leverages the Hugging Face platform to distribute thousands of variants of an APK payload designed to steal credentials from popular financial and payment services. The attack begins with a dropper app called TrustBastion, which uses scareware-style ads to lure victims into installing it. The malware then redirects to a Hugging Face repository to download the final payload, using server-side polymorphism to evade detection. The malware exploits Android’s Accessibility Services to capture screenshots, monitor user activity, and steal credentials. The campaign was discovered by Bitdefender researchers, who found over 6,000 commits in the repository. The repository was taken down but resurfaced under a new name, 'Premium Club,' with the same malicious code. Bitdefender has published indicators of compromise and informed Hugging Face, which removed the malicious datasets. The infection chain begins when users download the malicious Android app TrustBastion, which appears as scareware via popups claiming the device is infected with malware. The dropper app prompts users to run an update that mimics legitimate Google Play and Android system update dialog boxes. The dropper contacts an encrypted endpoint hosted at trustbastion[.]com, which returns an HTML file containing a redirect link to the Hugging Face repository hosting the malware. The malware masquerades as a 'Phone Security' feature to guide users through enabling Accessibility Services. The malware requests permissions for screen recording, screen casting, and overlay display to monitor all user activity and capture screen content. The malware captures lockscreen information for security verification of financial and payment services.

Open in new tab

Android Malware Wonderland Targets Uzbekistan with SMS Theft and RAT Capabilities

Threat actors are using malicious dropper apps disguised as legitimate applications to deliver Wonderland, an Android SMS stealer, to users in Uzbekistan. Wonderland facilitates bidirectional command-and-control (C2) communication, enabling real-time command execution, USSD requests, and SMS theft. The malware is distributed through fake Google Play Store pages, Facebook ad campaigns, and compromised Telegram accounts. Once installed, it steals SMS messages, intercepts OTPs, and siphons funds from victims' bank cards. The operation is coordinated by the financially motivated group TrickyWonders, which employs a hierarchical structure for malware distribution and financial fraud.

Open in new tab

SantaStealer Malware-as-a-Service Targets Browsers and Crypto Wallets

A new malware-as-a-service (MaaS) named SantaStealer is being advertised on Telegram and hacker forums. Developed by a Russian-speaking actor, it is a rebranded version of BluelineStealer. The malware steals data from browsers, cryptocurrency wallets, and other applications, operating in memory to avoid file-based detection. Despite claims of advanced evasion techniques, samples analyzed by Rapid7 reveal poor operational security and incomplete development. SantaStealer uses 14 data-collection modules to exfiltrate information via a hardcoded C2 endpoint. The malware is not yet fully operational, but its planned distribution methods include ClickFix attacks, phishing, pirated software, and malvertising.

Open in new tab