A new Android spyware named ClayRat is deceiving potential victims by masquerading as widely used applications and services such as WhatsApp, Google Photos, TikTok, and YouTube. This sophisticated malware is primarily targeting users in Russia through Telegram channels and fraudulent websites that appear to be legitimate. ClayRat has the capability to steal sensitive information, including SMS messages, call logs, and notifications, while also being able to take pictures and make phone calls without the user's knowledge.
Researchers from mobile security firm Zimperium have reported documenting over 600 samples of ClayRat and more than 50 distinct droppers within the last three months, highlighting an active effort by the attackers to expand their operations. This extensive campaign indicates a well-coordinated approach to infiltrate devices and gather personal data from unsuspecting users.
The ClayRat campaign derives its name from the malware's command and control (C2) server. It employs meticulously designed phishing portals and registered domains that closely imitate genuine service pages. These fraudulent sites either host or redirect visitors to Telegram channels where unsuspecting victims can download Android Package Files (APKs).
To enhance the appearance of legitimacy, the threat actors have implemented various tactics, such as adding fake comments, inflating download counts, and creating a deceptive Play Store-like user experience with step-by-step instructions on how to sideload APKs while bypassing Android’s security warnings. Some samples of ClayRat operate as droppers, presenting users with a fake Play Store update screen while secretly hiding an encrypted payload in the app's assets.
ClayRat employs a “session-based” installation method to infiltrate devices, which is designed to bypass restrictions present in Android 13 and later versions. This method lowers the perceived risk associated with installation, thus increasing the likelihood that users will unwittingly install the spyware after visiting a compromised webpage.
Once installed, ClayRat can utilize the infected device to propagate itself further by sending SMS messages to the victim’s contact list. The spyware assumes the role of the default SMS handler on compromised devices, allowing it to read all incoming and stored SMS messages, intercept them before other applications can, and modify SMS databases.
The spyware establishes communication with its C2 server, with connections encrypted using AES-GCM in its latest versions. It is designed to receive one of twelve supported commands, including:
get_apps_list — Sends a list of installed apps to the C2. get_calls — Sends call logs. get_camera — Takes a front-camera photo and sends it to the server. get_sms_list — Exfiltrates SMS messages. messsms — Sends mass SMS to all contacts. send_sms/make_call — Sends SMS or places calls from the device. notifications/get_push_notifications — Captures notifications and pushes data. get_device_info — Collects information about the device. get_proxy_data — Fetches a proxy WebSocket URL, appends device ID, and initializes a connection object. retransmission — Resends an SMS to a number received from the C2.After obtaining the necessary permissions, the spyware can automatically harvest contacts and programmatically compose and send SMS messages to every contact, allowing for widespread propagation.
As a member of the App Defense Alliance, Zimperium has shared the complete indicators of compromise (IoCs) with Google. Consequently, Play Protect now actively blocks both known and new variants of the ClayRat spyware. Despite these protective measures, researchers emphasize that the ClayRat campaign is extensive, with over 600 documented samples in just three months, highlighting the urgent need for users to be vigilant and cautious when downloading apps and clicking on links.
