It’s easy to shrug off the dangers of installing unverified apps, but doing so often has consequences. Security researchers have recently discovered that an Android app claiming to be a free IPTV and VPN combination service is, in fact, a nasty piece of malware.
Breaking down how it works is interesting and illustrates the importance of being vigilant about what you install on your device.
The “VPN” app you don’t want to install
Security researchers at Cleafy have written an extensive report about a new form of malware, called “Klopatra”, that’s not tied to any known families of malware.
The attack begins with a fake app called “Mobdro Pro IP TV + VPN”, which claims to give access to IPTV channels while providing a free VPN for anonymity. Many IPTV streams are illegal because they provide copyrighted content without authorization. Thus, apps like this usually aren’t on official app stores since they break the terms of service.
During setup, the app prompts you with a Continue with the installation button. Tapping this brings up an Android prompt about allowing the app to install other apps, which is an immediate red flag. You might authorize, say, the Files app to sideload Android apps from APKs you download. But a VPN/streaming app has no reason to install other apps on your device.
Credit: Cleafy
If you grant this permission, you’re then prompted to install another app, which contains the malware. Notice in the screenshot how the second app has a different “M” character and is called “Mobdro pro”. This is attempting to trick a victim into thinking they are “finishing” one installation, when in reality they’re installing a second, different app.
Even the best Android security tips can’t keep you from giving direct access to malware on your own.
Requesting more permissions to abuse
Once you’ve been tricked into installing the Klopatra app, it immediately requests major permissions so it can take over your device. The core request is for Accessibility Services, which is used by legitimate accessibility apps to read the contents of your screen and interact with the device for you.
But malicious actors can use this to inflict tons of damage. Having accessibility permissions lets an app read all text on the screen, capture everything you enter on your device, navigate apps, hit buttons, perform swipes, and enter text for you.
image credit – self captured (Tashreef Shareef) – No Attribution Required
Once an app has this permission, it uses it to disable battery optimization so Android doesn’t end the process. In the meantime, the malware also gathers all your device information, including installed apps, to better understand you.
A clear, detailed threat
Cleafy goes on to provide a detailed analysis of how this malware goes beyond typical smartphone malware attacks. It employs various tools and methods that make it harder to detect and reverse engineer.
In essence, the malware provides remote access to the attackers, letting them do everything you could with the device in your hand. That includes hidden VNC mode, which allows remote control with a black screen displayed. Thus, the owner of an infected device wouldn’t be able to spot that something was wrong by noticing their device performing actions—seemingly on its own.
This malware actively watches for threats to itself and prevents you from taking action. It contains a list of popular Android security apps; if you install one of these, it will try to uninstall it to avoid detection. With full control, the app can also force the “back” action if you figure out what’s happening and try to uninstall the malicious app.
Credit: Cleafy
Learning more about the people behind this
Investigation revealed that Klopatra came from Turkey, as everything from operator comments about individual victims to code functions is in Turkish.
All these factors point to a coordinated, sophisticated group attack. This isn’t a hobbyist prankster who bought malware off the shelf; it’s from a team that knew what they were doing and took the time to protect their attack asset.
The malware campaign has been focused on Europe, with attacks aimed at Spanish and Italian banks. However, the team identified a third server that ran campaigns in various other countries, suggesting that the attack might expand over time.
Cleafy also notes how the attack developed over time, from a prototype in March 2025 to the modern version with all the protections and advanced theft mechanics.
Attacking your financial accounts
Despite being unique, Klopatra still uses known tricks from other Android threats. It contains a list of financial apps; when you open one, the malware displays an identical, phony dialog box over the legitimate login screen. You don’t notice it, but you’re handing your password over to the attackers.
Unsurprisingly, the attackers prefer to act during the night. While the victim is sleeping, their device is likely online and charging, which allows the criminals to access it without raising any suspicion.
Image taken by Digvijay Kumar – No attributionCredit: Digvijay Kumar/MakeUseOf
Through their deep-rooted remote access, the remote operator can check if the device is in use, make the screen go black, use the stolen PIN to unlock the device, then open a banking app and send transfers to their own accounts. It’s a sophisticated attack, combining both automated data collection and direct action from the malicious actor.
Analysis of the app found a text field where the criminals leave notes about their attempts. In one example, the text shows the operator had the victim’s unlock pattern and that a transfer for $7,000 had failed.
Credit: Cleafy
Be smart to keep yourself safe
Even if you don’t live in the areas where this attack was targeted, you can take something away from learning how it works. Given how hard this malware is to detect and remove, it’s vital that you don’t allow these kinds of apps anywhere near your system.
The most important line of defense is not installing apps you don’t trust, especially if they come from outside the Play Store. In relation to this issue, Google stated that Google Play Protect will keep your device safe from malicious behavior. And while that’s good to have, it can’t catch everything.
It’s also notable that the initial payload for this attack is an app promising free IPTV content. Looking for illegal content online leads to a bevy of risks, including malware, so it’s wise to stay far away from that.
And if you ever install an app that immediately wants to install another app or have you grant deep permissions like Accessibility Services, run away. Legitimate apps won’t ever do this.
