ClayRat Spyware Campaign Targets Android Users via Fake Apps and Aggressive Self-Propagation
The ClayRat espionage campaign is evolving rapidly and increasingly targeting Android users. According to Zimperium, the malware is spreading actively among Russian users via fake websites and Telegram channels, disguising itself as popular applications such as WhatsApp, TikTok, YouTube, and Google Photos. Once installed, it gains access to a broad array of functions — reading SMS messages and notifications, viewing installed apps, capturing photos with the front-facing camera, and even initiating calls and sending messages.
The defining trait of ClayRat lies in its aggressive self-propagation mechanism. The malware automatically sends malicious links to all of the victim’s contacts, transforming the compromised device into an active node of distribution. This enables the operators to scale their campaign with alarming speed and minimal human intervention. Over the past ninety days, researchers have identified at least 600 unique spyware samples and roughly 50 loaders. Each new iteration adds additional layers of obfuscation, allowing it to bypass security controls.
The infection typically begins on fraudulent websites, which redirect victims to attacker-controlled Telegram channels. There, users are lured into downloading malicious APK files presented as highly rated, well-reviewed applications. One notable example is a counterfeit “YouTube Plus” promising premium features, which can be installed even on devices running Android 13 or higher, despite the platform’s built-in restrictions.
Some variants of ClayRat pose as legitimate apps and function solely as installers. On-screen, a fake Google Play update window appears, while the encrypted malicious payload hides within the app’s internal resources. This deceptive method lowers user suspicion and significantly increases infection success rates. Upon activation, the malware requests permission to become the default SMS application, granting it complete access to messages and notifications.
ClayRat communicates with its command-and-control infrastructure using standard HTTP requests, transmitting detailed device information. Its capabilities include photo capture, enumeration of installed apps, and call manipulation. The malware’s threat lies not only in its espionage functions but also in its ability to transform each infected device into an automated distribution hub, complicating containment efforts.
According to Google, active ClayRat variants are already being blocked on devices with Google Play Protect, yet the attackers continue to adapt, keeping the threat relevant.
Meanwhile, researchers from the University of Luxembourg and Cheikh Anta Diop University have analyzed preinstalled apps on budget Android smartphones sold across Africa. Out of 1,544 APK files, 145 leaked confidential data, 249 granted access to critical components without proper protection, and 226 executed commands with elevated privileges. These findings highlight a systemic vulnerability in such devices — and an additional layer of risk for their users.
Support Our Threat Intelligence
If you find our technology report and cybersecurity news helpful, consider supporting our work.
Buy Me a Coffee
PayPal
