A new Android spyware, named ClayRat, is sweeping across Russian users by pretending to be trusted apps like WhatsApp, TikTok, Google Photos, and YouTube. Security researchers warn that this malware can steal messages, call logs, notifications, take photos, and even make calls, all while remaining hidden from the user. The campaign is rapidly expanding, with hundreds of samples discovered over the past three months.
ClayRat Campaign Tricks Users with Fake Apps
The ClayRat campaign relies on sophisticated phishing tactics to lure victims. Attackers create websites and Telegram channels that look legitimate, mimicking official service pages. These portals host or redirect users to Android package files (APKs) that contain the spyware.
To make the fake sites convincing, threat actors inflate download numbers, add fake comments, and design a Play Store-like experience. Users are guided with step-by-step instructions to sideload the APKs, bypassing Android’s built-in security warnings.
Researchers at mobile security firm Zimperium documented more than 600 ClayRat samples and 50 distinct droppers over three months, highlighting a well-organized effort to spread the spyware.
Hidden Installation and Session-Based Method
Some ClayRat samples act as droppers, showing a fake Play Store update screen while hiding an encrypted payload within the app. The spyware uses a session-based installation method to bypass Android 13+ restrictions, reducing suspicion.
This method increases the likelihood that a simple webpage visit will result in the spyware being installed without alerting the user. Once installed, the malware can propagate further by sending SMS messages to contacts on the infected device, effectively turning victims into distributors.
Telegram Channels Amplify the Spread
Telegram channels play a central role in ClayRat’s distribution. These channels provide links to the droppers, often framing them as updates for popular apps. Once a device is infected, the malware can automatically spread to the victim’s contacts, multiplying the attack’s reach.
This approach allows attackers to bypass traditional app stores and security controls, making the spyware harder to detect and stop.
Spyware Capabilities and Commands
ClayRat spyware is highly versatile. It can assume the default SMS handler role on infected devices, allowing it to intercept all incoming and stored messages before other apps. The malware also communicates with its command and control server (C2) using AES-GCM encryption.
ClayRat supports at least 12 commands, including:
-
get_apps_list — collects a list of installed apps
-
get_calls — sends call logs
-
get_camera — takes front-camera photos
-
get_sms_list — extracts SMS messages
-
messsms — sends mass SMS messages to contacts
-
send_sms / make_call — sends messages or places calls
-
notifications / get_push_notifications — captures notifications
-
get_device_info — gathers device details
-
get_proxy_data — sets up proxy connections
-
retransmishion — resends SMS to numbers received from C2
With granted permissions, ClayRat automatically harvests contacts and spreads itself, turning infected devices into powerful attack tools.
Industry Response and Protection
Zimperium shared ClayRat indicators of compromise with Google as part of the App Defense Alliance. Play Protect now blocks known and new variants, but experts caution that the campaign is massive and ongoing, with more than 600 samples discovered in just three months.
Experts recommend that users avoid downloading APKs from unofficial sources, scrutinize app permissions, and use security tools to detect threats. Awareness of phishing tactics, such as fake update screens, is critical in preventing infection.
Table: Key Malware Features
| Feature | Function | Risk Level |
|---|---|---|
| SMS interception | Reads and modifies messages | High |
| Call logs | Sends call history to C2 | Medium |
| Camera access | Takes photos secretly | High |
| Contact harvesting | Spreads malware via SMS | High |
| Notifications | Captures incoming alerts | Medium |
ClayRat demonstrates the growing sophistication of Android malware and highlights the risks of sideloading apps. By exploiting user trust in popular apps, attackers can infiltrate devices, steal data, and propagate infections on a large scale.
ClayRat’s rapid spread is a reminder that vigilance is essential in mobile security. Users should be cautious with app updates from unofficial sources, carefully check permissions, and monitor unusual device activity. What do you think about this new threat? Share this article with your friends to help them stay protected.
