{"id":5290,"date":"2025-10-09T13:00:00","date_gmt":"2025-10-09T13:00:00","guid":{"rendered":"https:\/\/cybersecurityinfocus.com\/?p=5290"},"modified":"2025-10-09T13:00:00","modified_gmt":"2025-10-09T13:00:00","slug":"clayrat-spyware-turns-phones-into-distribution-hubs-via-sms-and-telegram","status":"publish","type":"post","link":"https:\/\/cybersecurityinfocus.com\/?p=5290","title":{"rendered":"ClayRat spyware turns phones into distribution hubs via SMS and Telegram"},"content":{"rendered":"<div>\n<div class=\"grid grid--cols-10@md grid--cols-8@lg article-column\">\n<div class=\"col-12 col-10@md col-6@lg col-start-3@lg\">\n<div class=\"article-column__content\">\n<div class=\"container\"><\/div>\n<p>A fast-evolving Android spyware campaign known as \u201cClayRat,\u201d initially targeting Russian users but now spreading far beyond, has produced more than 600 samples and 50 droppers in just three months.<\/p>\n<p>According to Zimperium\u2019s Zlabs observations, ClayRat is distributed via phishing sites and Telegram channels posing as popular apps such as TikTok, YouTube, and Google Photos, to trick users into sideloading infected APKs.<\/p>\n<p>Apart from secretly reading and sending text messages, taking photos, and stealing contact lists and call logs, ClayRat can spread itself by texting malicious links to everyone in the contact list on the victim\u2019s phone, effectively turning each infection into a distribution hub.<\/p>\n<p>\u201cIn many ways, mobile devices have taken us back a decade,\u201d noted John Bambenek from Bambenek Consulting. \u201cIn email, we have some protection against compromised users sending phishing lures. However, this doesn\u2019t really exist in SMS. The result is that we artificially trust messages from our contacts and that they may include installing apps from outside Google Play.\u201d<\/p>\n<h2 class=\"wp-block-heading\"><a><\/a>Weaponizing trust from Telegram to Text threads<\/h2>\n<p>Zimperium\u2019s <a href=\"https:\/\/zimperium.com\/blog\/clayrat-a-new-android-spyware-targeting-russia\">report<\/a>, shared with CSO ahead of its publication on Thursday, shows that ClayRat thrives on trust loops. Attackers use polished phishing pages and Telegram \u201cupdate channels\u201d to host fake apps, complete with forged testimonials and inflated download counts. Once granted SMS-handling privileges, the spyware weaponized that trust, sending \u201cBe the first to know!\u201d texts with malicious links to every contact on an infected phone.<\/p>\n<p>\u201cThis type of RAT technology, which allows victim devices to send authentic-looking messages or even make calls, can be used to bypass MFA or engage in sophisticated impersonation attacks,\u201d Bambenek added.<\/p>\n<p>By exploiting Android\u2019s default SMS handler role, ClayRat bypasses normal runtime permission checks, gaining deep access without raising user alarms. Zimperium analysts found that once the role is granted, ClayRat can send or intercept texts, take front-camera photos, and forward everything to its command-and-control (C2) servers.<\/p>\n<p>\u201cUpon receiving a command from its command and control (C2) server, the malware composes \u201c\u0423\u0437\u043d\u0430\u0439 \u043f\u0435\u0440\u0432\u044b\u043c! &lt;link&gt;\u201d (English: \u201cBe the first to know! &lt;link&gt;\u201d) and, using the SEND_SMS and READ_CONTACTS permissions, automatically harvests the victim\u2019s contact list and delivers the malicious link to every entry,\u201d Zimperium researchers said.<\/p>\n<h2 class=\"wp-block-heading\">Fighting a self-spreading spyware<\/h2>\n<p>Experts say combating ClayRat requires both technical hardening and behavioral hygiene.<\/p>\n<p>\u201cSecurity teams should enforce a layered mobile security posture that reduces installation paths, detects compromise, and limits blast radius,\u201d said Jason Soroko, Senior Fellow at Sectigo. He recommends blocking sideloading through Android Enterprise policy, deploying mobile threat defense integrated with endpoint management, and shifting to phishing-resistant <a href=\"https:\/\/www.csoonline.com\/article\/3535222\/mfa-adoption-is-catching-up-but-is-not-quite-there.html\">MFA<\/a> such as <a href=\"https:\/\/www.csoonline.com\/article\/2513273\/passkeys-arent-attack-proof-not-until-properly-implemented.html\">passkeys<\/a> or hardware security keys.<\/p>\n<p>Chrissa Constantine, Senior Cybersecurity Solution Architect at Black Duck, said that \u201cend user training and education is highly recommended\u2013especially to ensure that employees understand the importance of not loading apps from untrusted sources.\u201d<\/p>\n<p>Zimperium claims its behavioral ML models detected ClayRat\u2019s earliest variants before signatures existed, and has since shared threat intelligence with Google to strengthen Play Protect defenses. But as the spyware continues to evolve, the real challenge might not just be in detection, it\u2019s in convincing users that the real danger sometimes hides behind a familiar app icon.<\/p>\n<p>Researchers have also shared a <a href=\"https:\/\/github.com\/Zimperium\/IOC\/tree\/master\/2025-10-ClayRat\" target=\"_blank\" rel=\"noopener\">full list<\/a> of indicators of compromise (IOCs) to help security teams detect and defend against ongoing ClayRat activity.<\/p>\n<\/div>\n<\/div>\n<\/div>\n<\/div>","protected":false},"excerpt":{"rendered":"<p>A fast-evolving Android spyware campaign known as \u201cClayRat,\u201d initially targeting Russian users but now spreading far beyond, has produced more than 600 samples and 50 droppers in just three months. According to Zimperium\u2019s Zlabs observations, ClayRat is distributed via phishing sites and Telegram channels posing as popular apps such as TikTok, YouTube, and Google Photos, [&hellip;]<\/p>\n","protected":false},"author":0,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[3],"tags":[],"class_list":["post-5290","post","type-post","status-publish","format-standard","hentry","category-education"],"_links":{"self":[{"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=\/wp\/v2\/posts\/5290"}],"collection":[{"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=\/wp\/v2\/types\/post"}],"replies":[{"embeddable":true,"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=5290"}],"version-history":[{"count":0,"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=\/wp\/v2\/posts\/5290\/revisions"}],"wp:attachment":[{"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=5290"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=5290"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=5290"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}