A new Android spyware named ClayRat is preying on potential victims by impersonating popular apps and services like WhatsApp, Google Photos, TikTok, and YouTube. The malware, primarily targeting Russian users, is spread through malicious websites and Telegram channels that appear legitimate. Once a device is infected, it can steal sensitive data, including SMS messages and call logs, record notifications, and even take pictures and make phone calls.
Mobile security researchers at Zimperium have documented over 600 samples and 50 different droppers in the past three months, a clear sign that the attackers are actively working to expand their operation. The ClayRat campaign, which gets its name from the malware’s command and control server, uses carefully designed phishing websites and registered domains that closely mimic legitimate service pages. These sites either host the malicious Android package files (APKs) directly or redirect visitors to Telegram channels where the files are provided to unsuspecting victims.
To make these sites seem more trustworthy, the threat actors have added fake comments, inflated download counts, and used a bogus Play Store-like user experience with step-by-step instructions on how to sideload the APKs and bypass Android’s security warnings. According to Zimperium, some of the ClayRat malware samples act as droppers, where the app the user sees is a fake Play Store update screen while an encrypted payload is hidden within the app’s assets.
The malware uses a “session-based” installation method to nest itself in the device. This technique helps it bypass Android 13 and newer restrictions and reduce user suspicion. Researchers say this method lowers the perceived risk and makes it more likely that a webpage visit will result in the spyware being installed. Once the malware is active, it can use the new host to spread to more victims by sending SMS messages to the infected device’s contact list.
Reference:
