Overview & Threat Summary

Security researchers have uncovered a new and aggressive Android spyware campaign, dubbed ClayRat, which impersonates widely used apps and services such as WhatsApp, Google Photos, TikTok, and YouTube in order to trick victims into installing it.

The operation is currently focused on Russian users, with distribution via Telegram channels and phishing sites mimicking legitimate services. Over the past three months, security firms have documented over 600 distinct samples and 50 unique droppers, indicating an active and evolving effort by the threat actors.

Once installed, ClayRat enables a wide range of surveillance and control abilities: reading SMS, harvesting call logs, capturing notifications, taking photos via the camera, making phone calls, exfiltrating device data, and using the infected device as a distribution node by sending malicious SMS to contacts.

Because of its stealth techniques, self-propagation, and impersonation methods, ClayRat represents a serious espionage and privacy threat. Organizations, security teams, and users should be alert and take steps to detect and block it.

Attack Chain & Distribution

Phishing & Social Engineering to Deliver Dropper

• The campaign employs phishing portals and websites that closely mimic legitimate service pages. These fake sites host or redirect users to Telegram channels controlled by the attackers, where APKs (Android application packages) are distributed.

• To increase plausibility, the attackers seed fake comments, inflate download counters, and include staged user testimonials to simulate a Play Store–style ecosystem.

• Some droppers show a fake “Play Store update” interface, tricking the user into thinking they are applying a legitimate system update. The real payload is hidden internally (encrypted) and only activated in a later stage. This “session-based” installation helps bypass restrictions, especially in Android 13+.

• Because the visible front end appears innocuous, victims are less likely to suspect malicious behavior.

Permission Escalation & Stealth Deployment

• Once the dropper is run, it requests to become the default SMS handler. This permission is powerful: it allows the spyware to intercept incoming SMS, read stored messages, and send messages without prompting.

• With SMS handler privileges, ClayRat gains deep access to message flows and can manipulate SMS databases stealthily.

• The malware begins sending mass SMS to all contacts automatically, usually with contextually plausible links, turning the compromised device into a propagation engine.

• The malware’s command-and-control (C2) communications use either plaintext HTTP or AES-GCM encryption in later versions.

• ClayRat supports a set of at least 12 remote commands, including:

  • get_apps_list — list installed apps

  • get_calls — exfiltrate call logs

  • get_sms_list — harvest SMS messages

  • get_camera — take a photo via front camera

  • send_sms / make_call — send SMS or place calls

  • notifications, get_push_notifications — capture notifications

  • get_device_info, get_proxy_data, retransmission, and messsms (mass SMS)

By combining stealth, impersonation, and self-propagation, ClayRat is able to infect at scale and remain persistent in infected devices.

Impact & Risk Analysis

Espionage, Data Theft & Surveillance

ClayRat’s broad capabilities make it suitable for intelligence gathering and espionage:

• Full access to SMS, call logs, contacts, notifications, and device metadata lets attackers reconstruct communications and behaviors.

• The ability to take front-camera photos or record activity gives visual data on the user environment.

• By making calls or sending SMS from the device, attackers can launch further attacks or spoof legitimate communications.

Self-Propagating Botnet Potential

Because ClayRat turns infected devices into distribution nodes, its spread is exponential without requiring new infrastructure:

• Each compromised device can send malicious SMS to its contacts with spoofed messages, effectively turning victims into “spreaders.”

• This tactic increases the scale of infection and reduces attacker burden.

Evasion & Resilience

• The use of fake UI, session-style installers, and impersonation helps it evade user suspicion and detection by security tools.

• The threat actors frequently introduce new droppers and variants to avoid signature-based detection.

• Because the spyware can integrate deeply by abusing SMS handler and system features, removal is more complex, especially for non-technical users.

Mitigations, Detection & Response

Preventive Measures

1. Restrict Installation from Unknown Sources

   • Discourage or prevent enabling “Install unknown apps / from unknown sources” unless absolutely necessary.

   • Only allow installations from trusted app stores (Google Play, verified enterprise stores).

2. User Awareness & Phishing Training

   • Educate users to be cautious about links from SMS or Telegram, especially when they mimic app updates.

   • Warn users about websites that prompt sideloading under the guise of official services.

3. Limit Sensitive Permissions

   • Monitor and restrict permissions such as default SMS handler, notifications access, SMS send/receive, and device admin privileges.

4. Mobile Threat Defense & On-Device Protection

   • Use mobile security solutions (e.g., EDR/MTD) capable of behavioral anomaly detection to flag suspicious apps.

   • Utilize runtime protection and application shielding (like Zimperium’s tools) to detect ClayRat variants early.

Detection Signals & Indicators

• Unexpected prompts to set “default SMS app”

• New apps claiming to be updates for WhatsApp, TikTok, or YouTube

• SMS messages sent from your phone without your initiation

• Unusual battery drain, network activity, or data usage

• Presence of apps not installed via the Play Store

• Alerts from Play Protect or mobile security tools blocking installation or execution (Google has been provided IoCs)

Incident Response & Remediation

1. Isolate the Device

   • Immediately disable network connectivity (Wi-Fi, mobile data) to stop further exfiltration.

2. Revoke Malicious Permissions

   • Remove default SMS handler privileges, revoke suspicious app permissions, or remove the app entirely.

3. Perform Full Malware Scan / Clean Installation

   • Use a trusted security tool to scan for known IOCs.

   • If compromised, factory reset the device (after data backup), and restore only verified apps.

4. Reset Credentials & Review Logs

   • Change passwords for accounts accessed on the device.

   • Monitor for suspicious logins, SMS forwarding, or account activity.

5. Share Indicators & Threat Intelligence

   • Report IoCs to your security team, EDR vendors, or community sharing platforms.

   • Stay updated with threat intel feeds for new ClayRat variants.

Strategic & Long-Term Considerations

• Supply Chain & Ecosystem Risk
  Even if an attacker cannot infect all users, campaigns like ClayRat expose the risk that legitimate apps might be mimicked or spoofed to deliver malware. The trust in app ecosystems is being weaponized.

• Regional Targeting & Attribution
  The current focus appears to be Russia, but the infrastructure, techniques, and droppers could be repurposed for other geographies.

• Signature Evasion & Variant Explosion
  Because over 600 samples are already known, and new droppers are frequently introduced, defenders should prioritize behavioral and anomaly detection over static signature matching.

• Regulatory & Privacy Ramifications
  State or corporate users targeted by such spyware may face severe reputational, privacy, and legal exposure if sensitive data or communications are exposed.

Conclusion & Call to Action

The emergence of ClayRat underscores a growing trend in mobile espionage: impersonation, session-based stealth, and self-propagation. Its sophistication and rapid expansion make it a serious threat to user privacy, enterprise mobile security, and national security in targeted regions.

Security teams must adapt defenses—from user education, behavior monitoring, runtime protection, to rigorous incident response—to counter such threats. The longer these campaigns go unchecked, the greater the likelihood of compromised communications, credential thefts, and further spread.

Disclaimer: ClearPhish maintains a strict policy of not participating in the theft, distribution, or handling of stolen data or files. The platform does not engage in exfiltration, downloading, hosting, or reposting any illegally obtained information. Any responsibility or legal inquiries regarding the data should be directed solely at the responsible cybercriminals or attackers, as ClearPhish is not involved in these activities. We encourage parties affected by any breach to seek resolution through legal channels directly with the attackers responsible for such incidents.