ClayRat, a rapidly evolving Android spyware campaign, has surged in activity over the past three months, with zLabs researchers observing more than 600 unique samples and 50 distinct droppers.
Primarily targeting Russian users, the malware masquerades as popular applications such as WhatsApp, Google Photos, TikTok, and YouTube, luring victims into installing malicious APKs via deceptive Telegram channels and phishing websites.
Once installed, ClayRat exfiltrates SMS messages, call logs, notifications, and detailed device information; captures photos with the front-facing camera; and even sends SMS messages or places calls directly from the victim’s device, turning each infection into a potent surveillance and distribution hub.
The campaign relies on a sophisticated mix of social engineering and web-based deception to exploit user trust.
Attackers register lookalike domains—such as a fake GdeDPS landing page—to redirect visitors to Telegram channels where the malicious APK is hosted.
These channels are seeded with staged social proof, including fabricated positive comments, inflated download counts, and fake user testimonials, reducing suspicion and boosting installation rates.
In some cases, victims are guided through a session-style installation flow that mimics Android’s official update screens. Simple step-by-step instructions prompt users to enable installation from unknown sources, bypassing built-in security warnings.
Phishing sites impersonate legitimate services—like a “YouTube Plus” portal—hosting the spyware disguised as feature add-ons or updates.
Zimperium’s Mobile Threat Defense (MTD) and Mobile Runtime Protection (zDefend) solutions have detected ClayRat from its earliest samples, leveraging on-device behavioral machine-learning models to identify anomalous activity before signature updates are released.
Droppers further obfuscate the true payload by presenting a fake Google Play update interface while loading an encrypted spyware module from within the app’s assets.
Propagation Techniques
ClayRat’s operators continuously harden the spyware to evade detection. Each new variant incorporates additional layers of obfuscation and packing, with one variant inserting the marker string “apezdolskynet” into Base64-encoded payloads, and another leveraging AES-GCM encryption for its command-and-control (C2) communications.
To bypass Android 13’s stricter permissions model, the malware abuses the default SMS handler role, granting itself broad SMS access without triggering per-permission prompts.
This single authorization allows ClayRat to read all incoming and stored messages, send new SMS without confirmation, intercept SMS events before delivery to other apps, and modify SMS databases.
Upon activation, the spyware immediately captures photos via the front-facing camera and exfiltrates them to its C2 server. It supports a comprehensive set of remote commands:
get_apps_list: retrieves installed applications.get_calls: exfiltrates call logs.get_camera: captures and uploads front-camera images.get_sms_list: harvests SMS messages.messsms: sends mass SMS messages to all contacts.send_sms,make_call, and more.
Mitigations
As an App Defense Alliance partner, Zimperium has shared findings with Google, ensuring Google Play Protect automatically guards users against known ClayRat variants.
We also identified more than 50 samples where the malware masquerades as a dropper app to bypass Android restriction.
Defensive measures for users include disabling installation from unknown sources, carefully vetting applications before sideloading, and promptly applying official updates.
Enterprises should enforce mobile application management policies that restrict default SMS handler assignments to trusted applications only.
Continued vigilance and collaboration between security vendors and platform providers remain essential to counter ClayRat’s rapid evolution and prevent widespread compromise.
Follow us on Google News, LinkedIn, and X to Get Instant Updates and Set GBH as a Preferred Source in Google.
