The ClayRat spyware campaign is expanding rapidly and increasingly targeting Android users. According to Zimperium, the malware is actively spreading among Russian users through fake websites and Telegram channels, masquerading as popular apps like WhatsApp, TikTok, YouTube, and Google Photos .
Once installed, the malware gains access to a wide range of functions, including reading SMS and notifications, viewing the list of installed apps, taking photos with the front-facing camera, making calls, and sending messages.
ClayRat’s key feature is its aggressive self-propagation mechanism. The malware automatically sends malicious links to all of the victim’s contacts, turning the infected device into an active distribution hub . This allows the campaign’s creators to rapidly scale their attacks without human intervention.
Over the past 90 days, specialists have identified at least 600 unique spyware samples and approximately 50 downloaders. Each new version includes additional levels of stealth, allowing it to bypass defense mechanisms.
Distribution begins via fake websites that redirect victims to Telegram channels controlled by the attackers. These channels offer malicious APK files with supposedly high download rates and positive reviews. Of particular note is the fake ” YouTube Plus ” app with ” premium features,” which can be installed even on devices running Android 13 or later, despite the platform’s built-in limitations.
Some versions of ClayRat masquerade as legitimate apps and act solely as installers. A fake Google Play update window appears on the screen, while the encrypted malicious code is hidden within the app’s internal resources. This approach lowers the user’s guard and increases the likelihood of a successful infection. Once activated, the malware requests permission to be set as the default SMS app, gaining full access to messages and notifications.
ClayRat uses standard HTTP requests to communicate with the control infrastructure and can transmit detailed information about the device . Its functions also include capturing photos, sending a list of installed applications, and managing calls. The potential danger of this malware lies not only in its espionage capabilities, but also in its ability to transform an infected device into an automated distribution tool, significantly complicating its containment.
According to Google, active versions of ClayRat are already blocked on devices running Google Play Services thanks to Play Protect . However, attackers continue to adapt, and the threat remains relevant.
Meanwhile, researchers from the University of Luxembourg and Cheikh Anta Diop University examined pre-installed apps on low-cost Android smartphones sold in Africa. Of the 1,544 APK files analyzed, 145 exposed sensitive data, 249 provided unprotected access to critical components, and 226 executed commands with elevated privileges. This indicates a system vulnerability on these devices and further risks for users.
Follow us on Google News to receive daily updates on cybersecurity. Contact us if you would like to report news, insights or content for publication.
