Klopatra: exposing a new Android banking trojan operation with roots in Turkey www.cleafy.com/cleafy-la…

In late August 2025, Cleafy’s Threat Intelligence team discovered Klopatra, a new, highly sophisticated Android malware currently used in active campaigns against financial institutions and their customers. The analysis identified two major botnets targeting users primarily in Spain and Italy, with the number of compromised devices already exceeding 3,000. Klopatra operates as a powerful banking trojan and Remote Access Trojan (RAT), allowing its operators to gain complete control over infected devices, steal sensitive credentials, and execute fraudulent transactions.

What elevates Klopatra above the typical mobile threat is its advanced architecture, built for stealth and resilience. The malware authors have integrated Virbox, a commercial-grade code protection tool rarely seen in the Android threat landscape. This, combined with a strategic shift of core functionalities from Java to native libraries, creates a formidable defensive layer. This design choice drastically reduces its visibility to traditional analysis frameworks and security solutions, applying extensive code obfuscation, anti-debugging mechanisms, and runtime integrity checks to hinder analysis.

This technical sophistication provides a clear footprint of the Threat Actor (TAs). Linguistic clues within the malware’s code and intelligence gathered from the Command and Control (C2) infrastructure point decisively to a Turkish-speaking origin. This assessment is corroborated by operational notes left by the attackers themselves, revealing a cohesive and disciplined group managing the entire attack lifecycle, from development to monetization. Klopatra marks a significant step in the professionalization of mobile malware, demonstrating a clear trend of TAs adopting commercial-grade protections to maximize the lifespan and profitability of their operations.