Cybersecurity researchers at Zimperium’s zLabs have identified a new and fast-spreading Android spyware known as ClayRat. This spyware is actively targeting Android users, primarily those in Russia, by disguising itself as trusted applications like WhatsApp, Google Photos, TikTok, and YouTube.
Tricking Users into Installation
The attackers rely on clever social engineering tricks to get the malware onto devices. They set up fake websites that look convincingly like official service pages. For example, in one observed case, a fake GdeDPS landing page was used to trick visitors. These deceptive sites then redirect users to special Telegram channels, such as one named @baikalmoscow, where the malicious app file is hosted.
Further probing revealed that the operators even flood these channels with fake positive comments and download counts to reduce user suspicion before they install the app.
Once ClayRat is active, it unleashes alarming capabilities. It can steal a user’s text messages and full call history, take pictures secretly using the phone’s front camera, and even send new text messages or place calls directly from the victim’s device without any user permission.
Covert & Quick Distribution Tactics
zLabs’ research shared with Hackread.com ahead of publishing on Monday, shows ClayRat is growing quickly. Over the last three months, more than 600 different versions of the spyware and 50 ‘dropper’ apps (which are installers that hide the real harmful code) have been seen.
This volume of unique files and the speed at which they produce new versions is proof that the operators are constantly changing the software’s disguise to evade detection by security systems.
Regarding the malware’s propagation, researchers found that it abuses the powerful text messaging role on Android devices, known as the default SMS handler. This technique allows it to bypass standard security warnings and gain full access to sensitive data and functions.
It then automatically sends a malicious text to every person in the victim’s phone book. This message is generally in Russian as “Узнай первым! ” (English: “Be the first to know! ”), and because it looks like it’s coming from a trusted friend, recipients are likely to click it. This prompts every infected device to spread the infection to others, fuelling an exponential growth. It is worth noting that this ability to self-propagate is a major feature of the campaign.
“In many ways, mobile devices have taken us back a decade. In email, we have some protection against compromised users sending phishing lures; however, this doesn’t really exist in SMS. The result is that we artificially trust messages from our contacts, and that may include installing apps from outside Google Play,“ said John Bambenek, President at Bambenek Consulting.
“The key protection for any mobile device user is to only install applications from authorized play/app stores, even if they get a message from an otherwise familiar contact. This type of RAT technology, which allows victim devices to send authentic-looking messages or even make outgoing phone calls, cannot only be used to bypass MFA but to engage in even more sophisticated impersonation attacks,“ he warned.
Zimperium’s findings show a serious new threat, which for now is limited to Russia, but it can be about time it targets users worldwide. To protect your device from threats like ClayRat, stick strictly to the Google Play Store for all your apps and never install app files (APKs) sent via messages, social media, or random websites. Also, always be suspicious of any link you receive, even if it comes from a friend, especially if it prompts you to install an app or an update.
