Researchers at mobile security firm Zimperium have observed a growing campaign with More than 600 samples detected and 50 droppers involved, distributed through Telegram channels and fraudulent pages that imitate legitimate portals. Its reach and intensive use of social engineering make it a threat especially active in the Android ecosystem, similar to cases like Pegasus.
This is how it is distributed: spoofing apps and fake websites
Campaign operators raise portals that imitate the Google Play Store and official pages Apps like WhatsApp, TikTok, YouTube, and Google Photos. These sites display fake reviews, inflated download counters, and automated comments to generate trust.
From these pages, victims are invited to download Malicious APKs These are presented as upgrades or premium versions. In many cases, the actual download is hosted on Telegram channels controlled by the attackers, where instructions are provided to complete the installation.
To increase the success rate, scammers instruct users to enable installation from unknown sources and follow steps that mimic those of a legitimate app. This script reduces suspicion and helps the infection go undetected.
The activity has been notably observed in Russian territory, although there's no guarantee that the scope of action will remain limited over time. The combination of visual impersonation and instant messaging facilitates its expansion into other markets.
An installation process that bypasses Android 13 and later
One of the most striking technical features is the use of a mechanism session-based installation, which replicates the installation flow of real apps to minimize alerts. This circumvents some of the restrictions introduced in Android 13 and higher.
Several samples function as droppers: They show a fake Play Store update screen Meanwhile, in the background, they download and execute the encrypted malicious payload. The experience appears legitimate, but the result is spyware entering the system.
After the installation is complete, ClayRat hides itself between processes and establishes communication with your command and control (C2) server using AES-GCM encryption and sending data in chunks. This tactic makes it difficult to detect with conventional security solutions.
What ClayRat can do to your compromised phone
The malware requests broad permissions and, when it obtains them, attempts to attach itself as default SMS appWith this, you can read, intercept, modify, and send messages, as well as interfere with notifications that reach messaging apps.
Its capabilities include capturing photos with the front camera without user intervention, access to call logs, listing installed apps, collecting data from the device and its network, and even making calls and sending SMS.
- List of installed applications (get_apps_list).
- Call history (get_calls).
- Capturing images with the front camera (get_camera).
- Mass reading and sending of SMS (get_sms_list / messms).
- Make calls and send messages from the terminal (send_sms / make_call).
- Device and network data collection (get_device_info).
- Encapsulating HTTP/HTTPS traffic in WebSocket tunnels to hide connections (get_proxy_data).
In addition, ClayRat leverages the user as propagation vehicle: Automatically sends download links to all contacts, multiplying infections with minimal intervention by attackers.
Mitigation and response measures
The first barrier is common sense: download and install apps only from the Google Play Store, avoid modified or supposedly premium versions and be wary of any updates offered outside the official store.
On a daily basis, frequently check the permits granted and check which app is set as the default SMS client. If you notice anything suspicious, revoke permissions, uninstall the app, and scan your device with Play Protect or another reputable security solution.
In corporate environments, it is advisable to apply MDM/EMM policies to block sideloading, enforce device integrity and monitor app behavior, as well as train staff in impersonation detection.
Research status and scope
Zimperium has cataloged this family by the server name C2 and confirms a sustained activity with multiple variants, reminiscent of threats such as KOSPYSpecialized media have warned of its evolution and the intensive use of visual impersonation and Telegram channels as an entry vector.
The picture drawn by ClayRat is clear: spyware posing as WhatsApp and TikTok, exploiting the installation outside the store, reducing the warning signs and steals data with great stealth, while spreading among contacts. Keeping downloads to official channels, monitoring permissions, and not granting critical privileges to unknown apps remains the most effective strategy for staying safe.
