ClayRat Spyware
A rapidly evolving Android spyware campaign known as ClayRat has emerged as a significant threat to users, particularly in Russia. Attackers exploit a combination of Telegram channels and lookalike phishing websites, impersonating popular applications such as WhatsApp, Google Photos, TikTok, and YouTube to lure victims into installing the malware.
Table of Contents
How ClayRat Spreads
The attack chain begins when unsuspecting users are redirected to fraudulent websites that link to Telegram channels controlled by the attackers. Here, victims are tricked into downloading malicious APK files through:
- Artificially inflated download counts
- Fabricated testimonials claiming app popularity
Some malicious sites masquerade as offering enhanced versions of popular apps, such as YouTube Plus, and host APK files designed to bypass security measures on devices running Android 13 and later.
Certain ClayRat samples function as droppers, presenting a lightweight app with a fake Play Store update screen. The actual payload is encrypted and hidden within the app's assets, allowing the malware to bypass platform restrictions and increase installation success rates.
Malicious Capabilities
Once installed, ClayRat activates a range of intrusive functionalities:
- Exfiltrates SMS messages, call logs, notifications, and device information
- Captures photos using the front camera
- Sends SMS messages or places calls directly from the infected device
- Collects a list of all installed applications and sends it to the Command-and-Control (C2) server
The malware also aggressively propagates itself by sending malicious links to every contact in the victim's phonebook, effectively turning compromised devices into automated distribution nodes.
Technical Sophistication
Security researchers have observed over 600 samples and 50 droppers of ClayRat in the past 90 days. Each new iteration adds layers of obfuscation, making detection more difficult.
Communication with the C2 infrastructure relies on standard HTTP protocols, and the malware requests users to make it the default SMS application to gain access to sensitive content and messaging functions. These capabilities allow attackers to conduct surveillance and expand the malware's reach without manual intervention.
Protective Measures
Despite its potency, ClayRat is mitigated by Google Play Protect, which is enabled by default on devices with Google Play Services. Play Protect automatically safeguards users from known versions of the malware.
ClayRat represents a dual threat: it spies on victims while simultaneously turning their devices into tools for further malware propagation. Its combination of social engineering, advanced evasion techniques, and automated distribution makes it a formidable adversary in the Android threat landscape.
