Popular VPN app can empty your bank accounts, security experts warn

The attack involves a fake app masquerading as a popular piracy application called Mobdro Pro IP TV + VPN, which promises to offer users free access to TV shows, films and sports events, as well as a virtual private network (VPN).

The app contains a highly-sophisticated piece of malware called Klopatra that aims to gain complete remote control of a device.

Once the app has been installed it encourages uses to grant permissions that will allow it to carry out the attack.

“To achieve this, the app presents a simple user interface with a button inviting users to ‘continue with the installation’,” the researchers noted in the report.

“Tapping this button redirects the user to Android’s system settings and instructs them to grant them permission.”

Granting permission through Android Accessibility Services, which are designed to assist users with disabilities, allows the app to read screen content and even perform actions on behalf of the user.

The researchers describe this attack pathway as “the cornerstone of modern banking malware fraud”, making it possible for cyber criminals to operate the device with the same level of authority as the legitimate user.

Clues within the malware’s code suggest that it originates from Turkey, according to Cleafy, with a Turkish-speaking group suspected of managing the entire operation, from code development to victim monetisation.

The success of the operation – the fraud management firm estimates there have been around 1,000 victims – means other cyber gangs may attempt to set up their own versions of the fake app.

“It is likely that other criminal groups will follow suit, making detection and analysis increasingly complex and resource-intensive,” Cleafy concluded.

“For the threat intelligence community, continuous monitoring of this group and its infrastructure will be essential to anticipate their next moves and protect users from this evolving threat.”