UK cybersecurity experts have issued an urgent warning to Android users to delete a popular VPN app called Modpro IP TV + VPN after it was found to secretly spy on screens and drain users’ bank accounts.
Researchers at Cleafy, a cybersecurity firm, discovered that the app is infected with Klopatra, a dangerous strain of malware capable of hijacking devices, stealing passwords, and carrying out financial fraud.
According to Cleafy’s findings, around 3,000 Android devices have already been compromised. The malware disguises itself as a legitimate VPN tool, luring users with promises of secure browsing and access to streaming services. Once installed, it silently gains control over the device and begins transmitting sensitive information to remote servers.
How the Klopatra Malware Takes Control
The infection begins when users grant permissions requested by the malicious app. The most critical of these is the Android Accessibility Services permission — a system-level function originally designed to assist users with disabilities by allowing apps to read screen content and perform actions such as tapping or scrolling.
Cybersecurity experts warn that once malware obtains this level of access, it can effectively control the device as if it were the user. This enables attackers to open apps, read messages, and even initiate unauthorized bank transactions in real time.
Once the Klopatra payload is activated, the malware operates quietly in the background, monitoring on-screen activity and collecting login credentials for financial apps and digital wallets. It can also intercept text messages, including those containing one-time passwords, allowing hackers to bypass two-factor authentication.
Thousands of Users at Risk
So far, about 3,000 infections have been confirmed, but experts believe the actual number of compromised devices could be much higher.
Cleafy’s investigation revealed that Modpro IP TV + VPN was being distributed through unofficial app stores and deceptive online advertisements. Some victims reportedly downloaded the app after seeing pop-up promotions offering “free premium access” to streaming platforms.
Security professionals are urging users who may have installed the app to remove it immediately, run a comprehensive antivirus scan, and reset their banking and email passwords from a secure device. Those who suspect unauthorized account activity are also advised to contact their financial institutions without delay.
A Broader Problem in the VPN Market
The discovery of Klopatra comes amid growing concern over the safety of popular VPN apps. A recent study highlighted that 16 widely used VPN services were categorized as “highly problematic” due to serious privacy flaws, misleading marketing claims, and a lack of transparency about their true ownership.
According to researchers, a handful of companies secretly control a large portion of the VPN market through white-label networks, meaning several VPN brands are owned and operated by the same entities. This structure allows companies to rebrand the same software under different names, often hiding their origins from consumers.
High-Risk VPNs Identified
The study identified eight major providers behind 16 VPN apps that together account for more than 700 million downloads on the Google Play Store. These apps were found to share servers, encryption protocols, and even user data handling systems — creating overlapping vulnerabilities.
Some of the most concerning apps include:
- Turbo VPN
- VPN Proxy Master
- XY VPN
- 3X VPN – Smooth Browsing
Each of these applications has been downloaded over 100 million times, suggesting that potentially millions of users could be exposed to similar privacy and security risks.
Weak Encryption and Hidden Ownership Raise Alarms
Investigators also found that these VPNs rely on the Shadowsocks tunneling protocol, a method originally developed to bypass internet censorship but not designed to offer full data confidentiality. Because of its weak encryption standards, Shadowsocks connections may be susceptible to data interception or surveillance.
Adding to the concern, many of these VPNs do not clearly disclose their parent companies or operational jurisdictions. Some are registered in regions known for limited privacy protections, making it difficult to determine how user data is stored or shared.
Experts emphasize that the lack of transparency leaves consumers vulnerable to misuse of their personal information — particularly when VPN providers collect browsing histories, IP addresses, and device identifiers.
Experts Urge Users to Be Cautious
Cybersecurity professionals are urging users to exercise greater caution when selecting VPNs, stressing that not all privacy tools are equally secure. Many free or lesser-known VPNs have been found to include hidden tracking mechanisms, excessive permissions, or insecure network configurations.
Users are advised to choose VPNs that have undergone independent security audits, publish clear privacy policies, and are transparent about ownership. Paid VPN services from reputable companies tend to offer stronger encryption, reliable customer support, and verified no-log policies.
Steps to Stay Protected
To minimize the risk of infection or data theft, experts recommend the following measures:
- Uninstall Modpro IP TV + VPN and any unverified VPN apps immediately.
- Run a malware scan using trusted security software such as Malwarebytes, Norton Mobile Security, or Bitdefender.
- Update all device software to ensure the latest security patches are installed.
- Change banking and email passwords, and enable two-factor authentication wherever possible.
- Download apps only from official sources, such as the Google Play Store, and avoid pop-up ads offering “free VPNs” or “premium streaming tools.”
