Free VPN warning: Thousands of Android phones mistakenly install money-stealing malware, are YOU impacted?

a hand holds an android phone with a warning triangle on-screen, computer glitches can be seen in the background

Thousands of Android phone owners have mistakenly downloaded the new strain of malware, known as Klopatra, which was created back in March and has been rewritten numerous times since then to siphon money from your banking apps and cryptocurrency wallet

|

SORA | GB NEWS

Aaron Brown

By Aaron Brown


Published: 06/10/2025

- 13:41

All products and promotions are independently selected by our experts. To help us provide free impartial advice, we will earn an affiliate commission if you buy something. Click here to learn more

desktop-comment

Fraudulent app promised free VPN and IPTV streaming, researchers reveal

If you're one of the millions of Britons who recently downloaded a Virtual Private Network (VPN) to your device, you might want to triple-check where it's from. Security experts have issued an urgent warning about a popular VPN app that was used as a Trojan Horse to sneak a nasty strain of malware onto Android phones worldwide.

Researchers from Cleafy, a security firm that specialises in preventing online fraud, discovered the malware, known as Klopatra. Once installed, the malware is designed to steal your money.

This isn't just a dodgy app – it's a "highly sophisticated" criminal operation.

Klopatra can raid your banking apps, empty cryptocurrency wallets, and even control your phone when the screen is switched off. According to Cleafy, more than 3,000 devices across mainland Europe have already fallen victim to this scam, and the numbers are growing.

Modpro IP TV + VPN android app installation process to add malware

Modpro IP TV + VPN is a free app that claims to offer complimentary access to a Virtual Private Network (VPN) and IPTV streaming ...but was actually just a means to deliver the custom-built Klopatra malware to Android devices

|

CLEAFY.COM PRESS OFFICE

This isn't a new phenomenon. Security experts have previously warned GB News readers against using free VPNs. That's because if a VPN provider isn't charging you to access its functionality, it's likely monetising you and your data to cover its costs. Better to subscribe to one of the best VPN deals and know your data is safe.

For those who inadvertently downloaded this new malware strain when trying to unlock a free VPN, the fallout is extremely serious. Experts say Klopatra doesn't resemble anything that’s already out there, meaning this tool was likely built from scratch for this exact purpose.

Subscribe to ExpressVPN at its lowest price in 16 years

ExpressVPN has overhauled its subscription plans for the first time in 16 years, ditching its pricier one-size-fits-all plan for three separate subscriptions. The advantage? This has dramatically lowered the price for anyone who just wants access to this award-winning VPN service without any extra trimmings

ExpressVPN Basic
$7.49 $2.60
Buy Now

Surfshark: Get 3 months for FREE + 86% off

If you're looking for some of the lowest monthly bills around, look no further than the award-winning Surfshark VPN. It's cut monthly subscription prices by a jaw-dropping 85%. Not only that, but Surfshark will also bundle an extra three months at the end of a two-year plan, dropping the effective cost to just £1.89. Surfshark lets you use your subscription across unlimited devices

Surfshark VPN
$4.89 $1.49
Buy Now

The cybercriminals behind Klopatra aren't just targeting people who want to download VPNs on Android, they've also disguised the nasty malware strain as fraudulent IPTV apps, too.

That means people simply looking to stream blockbuster films, terrestrial channels, and television boxsets could also find themselves fighting off this malware that allows criminals to "gain complete control over infected devices, steal sensitive credentials, and execute fraudulent transactions". Yikes.

It's a clever trick, really. Both VPNs and IPTV apps are incredibly popular, and people often search for them online. The hackers know this, so they've created fake versions of both types of apps to cast a wider net.

If you've recently downloaded what you thought was a VPN or IPTV app from somewhere other than the official Google Play Store, you could be at risk.

The malware spreads through a fake app called Modpro IP TV + VPN. Once you've installed it, the app asks for something called Accessibility Services permissions - and that's when the trouble really starts.

If you grant these permissions, you're basically handing over the keys to your phone. The hackers can tap buttons for you, read everything on your screen, steal your passwords, and control your apps without you knowing.

It's like having an invisible person looking over your shoulder who can also reach out and use your phone whenever they fancy. They can log into your accounts, transfer money, and you won't even realise it's happening.

What makes Klopatra particularly dangerous is how it hides from the security experts desperately trying to stop it. The malware relies on something called Virbox — normally used to protect legitimate software — to prevent researchers from taking it apart and understanding how it works.

It's got all sorts of clever tricks up its sleeve. The malware can tell when it's being studied in a lab environment and will shut itself down. It also has built-in defences against debugging tools that experts use to analyse threats. Perhaps most unsettling is its "black-screen VNC mode", which lets criminals use your phone while making it look like the screen is off and locked.

The malware only surfaced for the first time back in March, but since then, it has undergone 40 iterations, indicating that the group is actively working on and developing the malware. Security researchers believe it's the work of a Turkish cybercriminal, who built the entire thing from scratch.

screenshot of code shown from klopatra malware

Klopatra leverages something known as Virbox to block security researchers from studying the dangerous new strain of malware

|

CLEAFY.COM PRESS OFFICE

LATEST DEVELOPMENTS

Discussing the devastating new malware, Head of Security at Proton VPN, Patricia Egger told GB News: "The discovery of Klopatra highlights that mobile malware keeps evolving and just how dangerous fake apps can be.

"An unethical VPN is one of the most effective data harvesting tools imaginable, with visibility into almost everything a person does online. So, it’s not surprising that attackers are exploiting the trust users place in VPNs to do extensive damage. The best defence is vigilance.

"Ensure you download a VPN from a trusted source and always verify the permissions that apps are requesting. When choosing a VPN, look closely at their ownership and security practices, which can include bug bounty programs, being open-source, or publishing independent security audits."

The good news is that Klopatra only spreads through dodgy websites, not the official Google Play Store. If you stick to downloading apps from Google's official shop, you should be safe. But if you've side-loaded any VPN or IPTV apps recently, especially one called Modpro IP TV + VPN, delete it immediately.

Your bank account might depend on it.



TechNewsPrivacyMalwareVPN
More From GB News