Security researchers at Cleafy recently uncovered a dangerous new malware campaign using a fake Android VPN app to gain full control of victims’ devices and drain their bank accounts.
The malicious app — Mobdro Pro IP TV + VPN, also circulating under the name Mod Pro IP TV + VPN — is spreading through unofficial websites that encourage users to sideload APK files outside the Google Play Store. Once installed, the app drops a powerful banking trojan known as Klopatra.
A New, Evolving Android Threat
The Klopatra threat has been actively evolving since March 2025, with researchers identifying over 40 distinct versions of the malware to date. It has already infected more than 3,000 devices across Europe; the highest concentration being in Spain and Italy.
Cleafy’s analysis attributes the operation to a Turkish-speaking criminal group, based on infrastructure and code artefacts. The malware’s sophistication, constant updates, and use of advanced evasion techniques mark it as one of the most complex Android banking trojans seen in 2025.
How Klopatra Works
Once the malicious app is installed, Klopatra abuses Android’s Accessibility Services, originally intended to help users with disabilities, to gain near-total control of the device. It can:
- Read on-screen content and capture credentials, such as bank login details
- Simulate taps and gestures, allowing it to make transactions invisibly
- Use a “Hidden VNC” module to perform these actions without the user seeing them
The trojan operates quietly, often executing fraudulent transfers while the device appears idle or even when users are asleep.
Advanced Stealth and Persistence
Researchers report that Klopatra employs multiple layers of code obfuscation, anti-debugging checks, and the Virbox Protector platform to evade detection. It also includes anti-emulation features to avoid being analysed by security sandboxes.
Cleafy’s telemetry indicates two active botnets distributing the malware, both built around malicious “dropper” apps like Mod Pro IP TV + VPN.
So who is affected by these fake apps?
This campaign is limited to Android devices. Klopatra specifically targets Android’s system architecture and relies on APK sideloading and Accessibility Service abuse — features that don’t exist on iPhones or iPads.
Apple iOS devices are not affected by this malware as long as they remain in their standard, non-jailbroken state.
- iPhones and iPads use a closed security ecosystem, where all apps must be digitally signed and vetted through the App Store.
- The sandboxing model in iOS isolates each app, preventing it from reading other apps’ data or automating system actions.
The only potential risk would be to jailbroken devices, which have had Apple’s built-in protections removed. These can install apps from unverified sources, making them more susceptible to similar threats. For everyday users, though, Apple’s security controls provide strong protection against trojans like Klopatra.
Who’s at Risk and How to Stay Safe
The campaign highlights the serious risks of sideloading apps from unverified sources. Free VPN and IPTV apps are a frequent lure for malware authors, as they attract users seeking free streaming or privacy tools.
Experts recommend:
- Installing apps only from the Google Play Store or trusted sources
- Disabling sideloading (installation from “unknown sources”) on business-managed devices
- Reviewing Accessibility Service permissions regularly
- Keeping Android devices fully updated
- Deploying mobile threat defense software in business environments
- Training staff to recognise risky downloads and fake app branding
Bottom Line
These findings are well-supported: Klopatra is real, the infections are confirmed, and the distribution method is verified by credible research. The jury may be out on exactly how variants there are, how many devices have been infected to date and which countries in Europe have been most affected by the threat so far. In short though, this isn’t hype. It’s a genuine, active Android threat exploiting users’ trust in free VPN and IPTV apps.
This blog post has been created with assistance from ChatGPT.
