Skip to content

Klopatra exposing a new Android banking trojan operation wit... #1459

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
wants to merge 1 commit into
base: master
Choose a base branch
from
Open

Klopatra exposing a new Android banking trojan operation wit... #1459

wants to merge 1 commit into from

Conversation

carlospolop
Copy link
Collaborator

🤖 Automated Content Update

This PR was automatically generated by the HackTricks News Bot based on a technical blog post.

📝 Source Information

🎯 Content Summary

What it is
Klopatra is a new Android banking trojan/RAT disclosed by Cleafy on September 30, 2025. It couples commercial code protection (Virbox) with extensive native libraries to evade analysis, and executes fraud via Hidden VNC (HVNC) and dynamic HTML overlays. Cleafy observed two main botnets and >3,000 compromised devices, primarily in Spain and Italy.

Infection chain
1) Dropper lure: A sideloaded IPTV app named “Mobdro Pro IP TV + VPN” acts as the firs...

🔧 Technical Details

Social-engineering dropper → silent stage install
Abuse a sideloaded lure (e.g., IPTV) to obtain REQUEST_INSTALL_PACKAGES, hide the second stage inside a JSON-packed resource, then programmatically extract and install the payload once permission is granted.

Accessibility as a full-control substrate
Request Accessibility Services to read UI text, capture keystrokes/gestures, and synthesize clicks/swipes. Use it to auto-approve dialogs, navigate settings, toggle the malware’s own Accessibility state, and operate any app with the victim’s privileges.

HVNC black-screen takeover
Start HVNC (start_hvnc), then render a black overlay with action_blackscreen by setting screenBrightness = 0.0f and drawing R.drawable.blsc. Operators perform banking actions invisibly while the user sees a blank screen.

Dynamic overlay credential theft
Detect targeted apps; fetch server-...

🤖 Agent Actions

I analyzed the blog and updated HackTricks accordingly.

What I added

  • Updated existing page: src/generic-methodologies-and-resources/phishing-methodology/mobile-phishing-malicious-apps.md
  • New consolidated section added before the References:
    • Android Accessibility abuse & HVNC black-screen overlays
      • How attackers dim screen to 0.0f and draw a black overlay using TYPE_ACCESSIBILITY_OVERLAY to hide HVNC ops
      • Minimal code to implement brightness dimming + black overlay
      • Hunting ideas for stealth HVNC activity
      • Cross-link to Accessibility abuse page
    • Dynamic WebView credential injections
      • Overlay WebView loading C2-supplied HTML to phish credentials
      • Minimal code to load HTML with loadDataWithBaseURL
      • Cross-link to WebView attacks page
    • Dropper-based stage install (REQUEST_INSTALL_PACKAGES)
      • Coercing unknown sources, embedded payload install via PackageInstaller
      • Minimal code to check/install from assets
    • Persistence via battery optimization and self-permission toggling
      • Using ACTION_REQUEST_IGNORE_BATTERY_OPTIMIZATIONS
      • Accessibility-driven self-toggling and hindering uninstall flows
      • Minimal code for battery optimization whitelisting
    • Anti-analysis with commercial protectors + native .so heavy logic
      • Virbox-style virtualization/anti-debug/emulator checks, string encryption, native-heavy logic
      • Practical reversing tips (hooking loadLibrary/dlopen/RegisterNatives, neutering ptrace, using Frida 16 import-slot rebinding or SoTap)
      • Cross-links to reversing-native-libraries and anti-instrumentation pages
    • Operator command surface (expandable)
      • Included representative commands from the post (start_hvnc, action_blackscreen, open_enj, paketleri_al, pil_opt, izin_switch, etc.)
    • Nocturnal HVNC fraud playbook
      • Battery/interactive checks → black-screen → unlock → execute transfers
    • Infrastructure hunting note
      • Deanonymization via historical DNS/origin linkage even behind Cloudflare

References

  • Appended:
    • Cleafy’s Klopatra report URL
    • Android docs for ACTION_REQUEST_IGNORE_BATTERY_OPTIMIZATIONS and REQUEST_INSTALL_PACKAGES
  • Preserved existing references and banner include

Why this location

  • The Mobile Phishing & Malicious App Distribution page already aggregates Android mobile phishing and banker tradecraft (droppers, overlays, FCM, WebView abuses). Klopatra’s techniques align directly with this content and add depth on HVNC overlays, dynamic injections, droppers, persistence, and anti-analysis—so I enhanced this page instead of creating a new one.

No other changes were necessary because:

  • Accessibility abuse and WebView attack fundamentals already exist in dedicated pages; I cross-referenced them rather than duplicating content.
  • Binary/native reversing and anti-instrumentation are covered in android-app-pentesting; I linked those for deeper technical workflows.

PR-impacted files

  • Modified: src/generic-methodologies-and-resources/phishing-methodology/mobile-phishing-malicious-apps.md

If you want me to additionally add blue-team rules or YARA-like heuristics specifically for HVNC black-screen detection or Virbox artifact hunting, I can extend the detection ideas section further.

This PR was automatically created by the HackTricks Feed Bot. Please review the changes carefully before merging.

📚 Repository Maintenance

  • MD files processed: 896
  • MD files fixed: 1

All .md files have been checked for proper formatting (headers, includes, etc.).

@carlospolop
Copy link
Collaborator Author

🔗 Additional Context

Original Blog Post: https://www.cleafy.com/cleafy-labs/klopatra-exposing-a-new-android-banking-trojan-operation-with-roots-in-turkey

Content Categories: Based on the analysis, this content was categorized under "Phishing Methodology -> Mobile Phishing Malicious Apps (add subsections: Android Accessibility abuse & HVNC overlays, Dynamic WebView credential injections, Dropper-based silent installs, Persistence via battery optimization and self-permission toggling, Anti-analysis with Virbox/native .so)".

Repository Maintenance:

  • MD Files Formatting: 896 files processed (1 files fixed)

Review Notes:

  • This content was automatically processed and may require human review for accuracy
  • Check that the placement within the repository structure is appropriate
  • Verify that all technical details are correct and up-to-date
  • All .md files have been checked for proper formatting (headers, includes, etc.)

Bot Version: HackTricks News Bot v1.0

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
No reviews
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
1 participant
@carlospolop