A fast-evolving Android spyware campaign known as “ClayRat,” initially targeting Russian users but now spreading far beyond, has produced more than 600 samples and 50 droppers in just three months.
According to Zimperium’s Zlabs observations, ClayRat is distributed via phishing sites and Telegram channels posing as popular apps such as TikTok, YouTube, and Google Photos, to trick users into sideloading infected APKs.
Apart from secretly reading and sending text messages, taking photos, and stealing contact lists and call logs, ClayRat can spread itself by texting malicious links to everyone in the contact list on the victim’s phone, effectively turning each infection into a distribution hub.
“In many ways, mobile devices have taken us back a decade,” noted John Bambenek from Bambenek Consulting. “In email, we have some protection against compromised users sending phishing lures. However, this doesn’t really exist in SMS. The result is that we artificially trust messages from our contacts and that they may include installing apps from outside Google Play.”
Weaponizing trust from Telegram to Text threads
Zimperium’s report, shared with CSO ahead of its publication on Thursday, shows that ClayRat thrives on trust loops. Attackers use polished phishing pages and Telegram “update channels” to host fake apps, complete with forged testimonials and inflated download counts. Once granted SMS-handling privileges, the spyware weaponized that trust, sending “Be the first to know!” texts with malicious links to every contact on an infected phone.
“This type of RAT technology, which allows victim devices to send authentic-looking messages or even make calls, can be used to bypass MFA or engage in sophisticated impersonation attacks,” Bambenek added.
By exploiting Android’s default SMS handler role, ClayRat bypasses normal runtime permission checks, gaining deep access without raising user alarms. Zimperium analysts found that once the role is granted, ClayRat can send or intercept texts, take front-camera photos, and forward everything to its command-and-control (C2) servers.
“Upon receiving a command from its command and control (C2) server, the malware composes “Узнай первым! <link>” (English: “Be the first to know! <link>”) and, using the SEND_SMS and READ_CONTACTS permissions, automatically harvests the victim’s contact list and delivers the malicious link to every entry,” Zimperium researchers said.
Fighting a self-spreading spyware
Experts say combating ClayRat requires both technical hardening and behavioral hygiene.
“Security teams should enforce a layered mobile security posture that reduces installation paths, detects compromise, and limits blast radius,” said Jason Soroko, Senior Fellow at Sectigo. He recommends blocking sideloading through Android Enterprise policy, deploying mobile threat defense integrated with endpoint management, and shifting to phishing-resistant MFA such as passkeys or hardware security keys.
Chrissa Constantine, Senior Cybersecurity Solution Architect at Black Duck, said that “end user training and education is highly recommended–especially to ensure that employees understand the importance of not loading apps from untrusted sources.”
Zimperium claims its behavioral ML models detected ClayRat’s earliest variants before signatures existed, and has since shared threat intelligence with Google to strengthen Play Protect defenses. But as the spyware continues to evolve, the real challenge might not just be in detection, it’s in convincing users that the real danger sometimes hides behind a familiar app icon.
Researchers have also shared a full list of indicators of compromise (IOCs) to help security teams detect and defend against ongoing ClayRat activity.
No Responses