A new Android spyware strain known as ClayRat is spreading through fake applications impersonating WhatsApp, TikTok, YouTube, Google Photos and other popular services. Distributed via Telegram channels and phishing sites, the malware hides within malicious APK files disguised as legitimate updates or add-ons. According to security researchers, ClayRat can harvest call records, SMS logs, notifications, photos, and even send messages on behalf of victims to their contacts.
“In many ways, mobile devices have taken us back a decade … ClayRat weaponizes trust, sending texts from the victim to others as part of its propagation.”
Fake App Installers and Telegram Channels Used to Distribute ClayRat Payloads
The operators behind ClayRat rely heavily on deceptive domains designed to imitate official Google or Meta properties. Victims are often redirected from phishing websites to Telegram channels that promote counterfeit app versions, complete with fabricated user reviews and inflated download numbers to appear credible.
Some of these APKs act as droppers—displaying a fake Play Store–style interface while decrypting and installing hidden payloads in the background. This staged delivery helps the malware bypass Android’s newer security restrictions.
Once installed, ClayRat requests to become the device’s default SMS application. Granting this permission allows it to intercept messages, read SMS history, send or delete texts, and suppress notifications from legitimate apps—all without further user prompts.
Command Capabilities Allow Deep Device Surveillance and Data Exfiltration
ClayRat communicates with its command-and-control (C2) infrastructure using both encrypted and unencrypted HTTP channels, depending on the variant. Its command set includes collecting device metadata, retrieving contact lists, logging phone calls, taking photos using the front camera, and monitoring notifications in real time.
The malware’s most alarming feature is its self-propagation technique. After infection, it automatically sends SMS messages containing malicious download links to every contact in the user’s address book. The messages are written in multiple languages, including Russian phrases such as “Узнай первым!” meaning “Be the first to know!”, making the campaign regionally adaptable and socially convincing.
Researchers have identified over 600 unique ClayRat samples and 50 droppers since the campaign’s emergence, each iteration adding new obfuscation or encryption layers to avoid detection. Analysts warn that the campaign continues to evolve quickly, indicating active development and persistent operator engagement.
Abuse of SMS Permissions Enables Large-Scale Surveillance and Manipulation
While ClayRat does not initially require privileged system access, its abuse of the Android default SMS handler role gives it near-complete control over text communications. The spyware can intercept verification codes, modify conversations, or silently delete incoming messages to conceal its tracks.
By combining SMS interception with access to photos, call metadata, and stored contacts, ClayRat enables highly targeted social engineering, identity theft, and blackmail operations. Its convincing mimicry of well-known applications significantly increases user trust and installation rates.
Security specialists recommend that Android users refrain from downloading applications outside official marketplaces and avoid granting SMS permissions to unfamiliar apps. Organizations managing Android fleets should deploy mobile threat defense solutions and enforce installation restrictions through enterprise policies.
Rapid Propagation and Variant Proliferation Pose Ongoing Risk to Android Ecosystem
The self-spreading design of ClayRat means that a single infected device can quickly compromise dozens of others within the same social circle. Analysts describe the campaign as one of the most aggressive examples of SMS-based malware propagation seen in recent months.
As the campaign continues to evolve, researchers stress that traditional signature-based defenses are insufficient. Behavioral analysis, anomaly detection, and real-time network monitoring remain the most effective means to identify and contain infections. Indicators of compromise have been shared with Android security teams to help strengthen Play Protect and related safeguards.
