Cybersecurity firm Cleafy just issued a report warning against a rising malware called Klopatra, which infects personal devices by posing as a free VPN app called Mobdro Pro IP + VPN. This is the latest corroboration of a series of warnings delivered by Kaspersky security researchers in 2024 about the increasing number of malware apps pretending to be free VPNs — a warning that’s more relevant than ever as VPN usage spikes in response to age-restriction laws.

Mobdro is the name of a popular IPTV app that’s been taken down by the Spanish government at least once, but the Mobdro Pro IP + VPN app appears to be unrelated, piggybacking on the name to use it as a malware vector. If you download the app, it guides you through what appears to be an installation wizard, but is actually the steps for handing over total control of your device. Once inside, Klopatra abuses accessibility services to pose as you, enter your banking apps, drain your accounts and assimilate your device into the botnet for further attacks.

Cleafy believes that Klopatra has already roped around 3,000 devices into its botnet, mainly in Italy and Spain. Its report concludes that the group behind Klopatra is probably based in Turkey, and is actively refining its approach, incorporating innovations and changing with the times. Hence the use of a combined cord-cutting and free VPN app as a mask — it’s perfect for exploiting rising frustrations with both streaming balkanization and government clampdowns on web freedom.

According to Kaspersky, other free VPNs used as malware vectors in the past year include MaskVPN, PaladinVPN, ShineVPN, ShieldVPN, DewVPN and ProxyGate. With Klopatra’s runaway success, Cleafy believes that imitators will spring up. App stores aren’t always quick to take down implicated apps, so be very careful to vet any free VPN app before you download it. If you’re not sure, you can always go with one of the free recommendations from our best VPN list (Proton VPN or hide.me).