A rapidly evolving Android spyware campaign known as “ClayRat” has been discovered targeting Russian users through Telegram channels and phishing websites.
The campaign, tracked by Zimperium zLabs researchers, disguises itself as trusted apps such as WhatsApp, TikTok, Google Photos and YouTube to trick users into downloading malicious software.
A Fast-Growing Mobile Threat
Over the past three months, the researchers identified more than 600 distinct ClayRat samples and 50 droppers, each version introducing new obfuscation layers to evade security tools.
Once installed, the spyware can exfiltrate call logs, SMS messages and notifications, take photos using the front camera and even send messages or place calls directly from the victim’s phone.
“ClayRat is a new Android spyware that hides inside fake apps that mimic popular apps such as TikTok, YouTube or Google Photos, and tricks users into giving it special permissions,” said Chrissa Constantine, senior cybersecurity solution architect at Black Duck..
“Once installed, it can secretly read and send text messages, take photos, steal contact lists and call logs and spread itself.”
The spyware’s operators employ a multifaceted strategy combining impersonation, deception and automation.
Distribution occurs mainly through:
-
Phishing sites mimicking legitimate services like YouTube or Google Photos
-
Telegram channels seeded with fake reviews and inflated download counts
-
Step-by-step installation guides prompting users to bypass Android’s built-in warnings
-
Session-based installers posing as Play Store updates
Read more on Android spyware threats: Iranian Hackers Deploy New Android Spyware Version
Abuse of Android’s SMS Handler Role
ClayRat’s most concerning feature is its abuse of Android’s default SMS handler role. Once granted, this permission allows the malware to read, store and send text messages without alerting users.
The spyware exploits this access to spread itself further, sending messages such as “Be the first to know!” to every saved contact.
“Once installed, ClayRat can steal SMS messages, call logs, notifications, device identifiers, and photos taken with the front camera,” said Jason Soroko, senior fellow at Sectigo.
“It can also send SMS or place calls from the device.”
Detection and Defense
Zimperium’s systems reportedly detected ClayRat variants as soon as they appeared, before public disclosures. The company said it shared its findings with Google, helping ensure protection through Google Play Protect.
To protect against similar threats, Soroko explained: “Security teams should enforce a layered mobile security posture that reduces installation paths, detects compromise and limits blast radius.”
John Bambenek, president at Bambenek Consulting, added: “The key protection for any mobile device user is to only install applications from authorized Play/App stores, even if they get a message from an otherwise familiar contact.”
With over 600 observed samples and growing sophistication, ClayRat underscores the accelerating pace of mobile malware evolution and the need for proactive defenses.
Image credit: JarTee / Shutterstock.com
