Fake VPN and streaming app infects thousands of Android devices, drains bank accounts

Mobdro Pro IP TV + VPN harbours a malicious banking trojan

Cybersecurity researchers are urgently warning Android users to delete a fake VPN and streaming app that is silently stealing banking credentials and draining victims' accounts.

The details of the malicious app, Mobdro Pro IP TV + VPN, were recently published by analysts at the Italian cybersecurity firm Cleafy.

At first glance, Mobdro Pro IP TV + VPN appears to be a harmless tool, offering users free access to high-quality IPTV channels combined with a virtual private network.

However, Cleafy's investigation has found the app to be anything but legitimate. It functions as a sideloaded installer for Klopatra – a new and highly sophisticated Android banking trojan and remote-access tool (RAT) with no known links to existing malware families.

The researchers first identified Klopatra in late August 2025 during an analysis of a wave of attacks targeting European mobile users.

According to Cleafy’s report, the malware is currently being deployed through two active botnets, primarily targeting users in Spain and Italy, with nearly 3,000 confirmed infections and counting.

Klopatra's capabilities are extensive and dangerous. Once installed, it gives cybercriminals complete remote control over the victim's device.

The attackers can read messages, steal sensitive login credentials and perform fraudulent transactions directly from the victim's phone.

What makes Klopatra particularly effective is its multi-stage infection chain, which relies heavily on social engineering to trick victims into granting permissions that effectively hand over control of the device.

After installation, the app prompts users to grant Android Accessibility Services permissions – a legitimate feature intended to help users with disabilities, but one that, in the wrong hands, can be weaponised.

"Once the main Klopatra payload is installed, the real threat manifests," Cleafy warned in its report.

"The malware immediately requests a wide range of permissions, but one is crucial for its success: the Android Accessibility Services permission."

By abusing these permissions, Klopatra can read on-screen content, input actions, and even navigate banking apps autonomously, allowing it to execute fraudulent transfers while users remain unaware.

The infection campaign exploits a long-standing trend among Android users: sideloading apps from unofficial sources to access pirated or "premium" content for free.

The Mobdro Pro IP TV + VPN app poses as a free streaming platform bundled with a VPN service, a combination that appeals to users looking to bypass geo-blocks or stream restricted channels.

However, this convenience comes at a steep cost. Because the app is distributed outside the Google Play Store, it bypasses Google's built-in security vetting, leaving users exposed to serious risks.

Legitimate VPNs posing hidden risks

While Klopatra represents an extreme case of a fake VPN used as malware bait, experts warn that even genuine VPN apps on the Google Play Store can carry significant privacy and security risks.

A recent VPN Transparency Report 2025 by the Open Technology Fund uncovered major deficiencies in several of the world's most-downloaded VPNs.

The study analysed 32 commercial VPN providers and found that several popular services, including TurboVPN, VPN Proxy Master, XY VPN, and 3X VPN - Smooth Browsing, were flagged as "concerning."

Each of these apps has been downloaded more than 100 million times from Google Play.

Researchers found that some of these VPNs misrepresent their security protocols, relying on Shadowsocks, a tunnelling technology not designed for confidentiality, while falsely claiming to provide robust encryption.

The report stresses that users must research who owns and operates their VPN provider, understand the underlying technology, and read the privacy policy carefully before installation.