ClayRat Android spyware targets Russian users via fake Telegram channels and phishing sites posing as popular apps like WhatsApp and YouTube.
The ClayRat Android spyware campaign targets Russian users via fake Telegram channels and phishing sites posing as popular apps like Google Photos, WhatsApp, TikTok, YouTube.
Zimperium named the spyware ClayRat after its C2 server, which presents a login form labeled with that name.
Zimperium researchers observed over 600 samples and more than 50 droppers in three months, each adding obfuscation and packing to evade detection. The malware also abuses Android’s default SMS handler to bypass permission prompts and access sensitive data stealthily.
“ClayRat poses a serious threat not only because of its extensive surveillance capabilities, but also because of its abuse of Android’s default SMS handler role.” reads the report published by Zimperium. “This technique allows it to bypass standard runtime permission prompts and gain access to sensitive data without raising alarms.”
ClayRat spreads via a coordinated mix of social engineering and web deception, exploiting user trust. Attackers use Telegram channels and phishing sites mimicking legitimate services like YouTube or GdeDPS to host fake APKs, complete with step-by-step install guides that bypass Android warnings.
Telegram channels, seeded with fake reviews and inflated statistics, amplify reach and persistence.
The Android malware also spreads via phishing sites mimicking popular apps, using fake APKs. Some samples act as droppers, showing fake update screens while hiding the payload. Once installed, it auto-sends malicious SMS to all contacts, turning each device into a distribution node.
“A major propagation in this campaign is the malware’s ability to weaponize the victim’s contact list. Once active and granted default SMS handling privileges, ClayRat automatically composes and sends socially engineered messages (“Узнай первым! <link>”) to every contact.” continues the report. “Because these messages appear to come from a trusted source, recipients are far more likely to click the link, join the same Telegram channel, or visit the same phishing site. Each infected device therefore becomes a distribution node, fueling exponential spread without the need for new infrastructure.”
Combining impersonation, Telegram channels, fake UX flows, and self-propagation, the campaign grows rapidly and effectively targets non-technical users.
ClayRat communicates over HTTP and obfuscates payloads by inserting the marker “apezdolskynet” into otherwise Base64-encoded data. Experts also spotted an alternate variant that packs the sample, uses AES-GCM to encrypt C2 traffic, and dynamically loads an encrypted payload from its assets at runtime.
The Android spyware abuses Android’s default SMS handler to gain broad access – read, send, intercept SMS, and modify message databases – bypassing individual runtime prompts. Once granted, the spyware captures front-camera photos, exfiltrates SMS, call logs, notifications to its C2, and executes remote commands (take photos, list apps, send mass SMS to all contacts, make calls, exfiltrate data).
“The sheer scale of this campaign—over 600 observed samples in just three months—highlights how quickly the mobile threat landscape is changing.” concludes Zimperium.
Follow me on Twitter: @securityaffairs and Facebook and Mastodon
(SecurityAffairs – hacking, newsletter)
