A new Android spyware called ClayRat has been discovered targeting users by pretending to be popular apps such as WhatsApp, Google Photos, TikTok, and YouTube. Security researchers say that the malware is being spread through Telegram channels and malicious websites that look almost identical to legitimate ones.
According to mobile security company Zimperium, which uncovered the campaign, more than 600 samples of the spyware and 50 distinct droppers were found over the last three months. This shows that the attackers are actively expanding their operation to infect more users.
The campaign gets its name from the spyware’s command and control (C2) server, called ClayRat. Attackers use phishing websites and fake portals that closely mimic real app pages to trick users. These websites often redirect victims to Telegram channels where the infected APK files are hosted.
To make these sites look genuine, attackers have added fake comments, inflated download numbers, and even a Play Store-like interface. These fake pages guide users with step-by-step instructions on how to sideload APKs and ignore Android’s security warnings.
Some ClayRat versions act as droppers, displaying a fake Play Store update screen while secretly unpacking an encrypted payload hidden inside the app’s files. The spyware uses a “session-based” installation method that helps it bypass Android 13 and later restrictions, making it easier to install without raising suspicion.
Once installed, ClayRat can use the infected phone to send SMS messages to the victim’s contacts, helping it spread to even more devices.
Once active, ClayRat gains control of the device’s SMS handling functions, allowing it to read, intercept, and modify messages. The malware can also:
- Steal SMS messages, call logs, and notifications
- Take pictures using the front camera
- Make phone calls and send mass SMS messages
- Collect device information
- Act as a proxy to communicate with its control server
The communication between the spyware and its C2 servers is encrypted using AES-GCM, making it harder for security tools to detect or block.
Zimperium has shared all indicators of compromise (IoCs) with Google. As a result, Google Play Protect now detects and blocks known and new variants of the ClayRat spyware.
