A popular VPN app could be secretly draining your bank account, security experts warn.
VPN apps are usually essential for keeping your internet activity and personal data secure. But one app circulating right now has more malicious intentions.
Now, cybersecurity experts are urgently warning users to uninstall a dangerous fake VPN app immediately, as it's capable of draining bank accounts.
Already, over 3,000 devices across Europe have been infected by this Android malware, as per a report from fraud detection company Cleafy.
Advert
The scam works through a fake app that pretends to be a popular piracy application called Mobdro Pro IPTV + VPN. It promises users free access to TV shows, movies, and live sports, along with VPN protection.
However, in reality, it installs Klopatra, an Android banking trojan that bypasses the Google Play Store and takes complete remote control of your device.
After you install it, the app tricks you into granting permissions that enable the attack.
“To achieve this, the app presents a simple user interface with a button inviting users to ‘continue with the installation’,” the researchers explained in their report. “Tapping this button redirects the user to Android’s system settings and instructs them to grant them permission.”
By getting you to grant access through Android Accessibility Services, usually features designed to help users with disabilities, the app gains the ability to read everything on your screen and even perform actions as if it were you.
According to the research team: "Klopatra’s effectiveness lies in a carefully orchestrated infection chain, which begins with social engineering and culminates in the complete takeover of the victim’s device. Each stage is designed to overcome the defences of the user and the Android operating system.”
The researchers describe this attack pathway as 'the cornerstone of modern banking malware fraud,' giving cybercriminals the same level of control over your device as you have. This means they can access your banking apps, read your passwords and transfer money without you knowing.
Evidence within the malware's code points to Turkey as its origin, Cleafy noted. Meanwhile, a Turkish-speaking group is suspected of running the entire operation, from developing the code to profiting from victims.
The scam has also been disturbingly successful. Cleafy estimates there have been around 1,000 victims so far, which means other criminal groups will likely try to copy the approach.
“It is likely that other criminal groups will follow suit, making detection and analysis increasingly complex and resource-intensive,” Cleafy concluded. “For the threat intelligence community, continuous monitoring of this group and its infrastructure will be essential to anticipate their next moves and protect users from this evolving threat."