A new report warns that cybercriminals are capitalizing on the global spike in VPN usage — and the Klopatra malware operation is leading the charge.
Cybersecurity firm Cleafy has identified Klopatra as a fast-growing threat infecting personal devices by disguising itself as a free VPN app called Mobdro Pro IP + VPN. This discovery reinforces earlier alerts issued by Kaspersky in 2024 about the rising number of malicious apps pretending to be free VPN services — a risk made even more urgent as VPN adoption surges in response to new age-restriction and online content laws.
The “Mobdro” name is familiar to many users as a popular IPTV app that has been previously shut down by Spanish authorities. Yet the current Mobdro Pro IP + VPN variant is unrelated to the original software, instead hijacking the brand recognition to lure unsuspecting victims. Once installed, the app guides users through a fake setup process that covertly grants hackers full control of the device. Klopatra exploits Android accessibility services to mimic user actions, infiltrate banking apps, steal funds, and silently add devices to its botnet for future attacks.
Cleafy estimates that Klopatra has already compromised around 3,000 devices, primarily in Italy and Spain. Investigators believe the operation is run by a group based in Turkey, noting that its techniques are evolving — including the strategic blending of “cord-cutting” and “free VPN” functionality to prey on frustrations with fragmented streaming services and growing government restrictions.
Kaspersky has documented several other fake VPN apps in the past year that served as malware delivery systems, including MaskVPN, PaladinVPN, ShineVPN, ShieldVPN, DewVPN, and ProxyGate. Given Klopatra’s rapid spread, Cleafy warns that copycat malware families are likely to follow.
While app stores sometimes act slowly to remove infected or fraudulent apps, users can protect themselves by thoroughly vetting any free VPN before downloading. When in doubt, choose a vetted, reputable free service such as Proton VPN or hide.me — both of which have been tested and recommended by cybersecurity experts.
