Cybersecurity experts have uncovered a new Android spyware campaign, dubbed ClayRat, that disguises itself as popular apps such as WhatsApp, TikTok, YouTube, and Google Photos. This malicious software has been spreading rapidly through Telegram channels and fake websites designed to imitate legitimate platforms. According to researchers at mobile security firm Zimperium, over 600 samples and 50 distinct droppers have been identified in the past three months, highlighting the scale and sophistication of this threat.
The ClayRat campaign takes advantage of users’ trust in familiar app brands. Attackers create phishing portals and lookalike domains that mimic official service pages. Victims are lured into downloading infected APK files from Telegram groups or fraudulent app stores. To enhance credibility, threat actors add fake reviews, inflated download numbers, and step-by-step installation guides resembling Google Play instructions. Once downloaded, the fake app displays a phony Play Store update screen, while secretly installing an encrypted spyware payload in the background.
Researchers revealed that ClayRat uses a “session-based installation method” to bypass Android 13+ restrictions, reducing user suspicion during installation. Once inside the device, the spyware hides deep in the system and establishes communication with its command-and-control (C2) servers, which use AES-GCM encryption for secure data exchange. The malware then performs a range of surveillance and control operations—from stealing SMS messages and call logs to taking pictures and sending unauthorized messages.
ClayRat can also make itself the default SMS handler on infected devices, allowing it to read, intercept, and modify text messages before other apps can access them. With these permissions, the spyware can send mass SMS messages to the victim’s contacts, spreading the infection even further. Zimperium researchers confirmed that the malware supports 12 different commands, including collecting device information, taking front-camera photos, and sending mass texts through proxy connections.
The spyware’s propagation strategy is particularly concerning. By leveraging infected devices as springboards, ClayRat can reach new victims directly via SMS invitations to download fake apps, increasing its spread rate exponentially. Some infected devices have even been used as proxies for remote access or to facilitate additional cyberattacks.
As part of the App Defense Alliance, Zimperium has shared the full list of indicators of compromise (IoCs) with Google, ensuring that Play Protect now blocks known and emerging variants of ClayRat. Still, experts warn that the threat remains active and continues to evolve through new droppers and obfuscation techniques.
Conclusion:
The ClayRat spyware campaign underscores the growing sophistication of Android malware ecosystems. Users should remain cautious when installing APKs outside the Play Store, even if the source appears trustworthy. Regular system updates, mobile antivirus tools, and heightened awareness of phishing tactics remain the best defense against evolving threats like ClayRat.
