A sophisticated Android spyware campaign, known as ClayRat, has been actively targeting users in Russia by exploiting fake apps and deceptive websites. The threat actors are impersonating widely-used apps such as WhatsApp, TikTok, Google Photos, and YouTube to trick victims into installing malware.
According to Zimperium researcher Vishnu Pratapagiri, once installed, ClayRat can collect SMS messages, call logs, notifications, and device information. It can also secretly take photos using the front camera and even make calls or send messages directly from the infected device.
Propagation and Aggressive Distribution
The spyware aggressively spreads itself by sending malicious links to every contact in the victim’s phone book. Researchers have identified over 600 malware samples and 50 droppers in the past 90 days, with each version increasingly obfuscated to bypass detection and evade security defenses. The name “ClayRat” refers to its command-and-control (C2) panel, which enables remote management of compromised devices.
Deceptive Websites and APK Droppers
The attack begins by redirecting users to fake websites or Telegram channels controlled by attackers. These platforms trick users into downloading APK files by displaying inflated download numbers and fake testimonials. Some sites, such as those claiming to provide “YouTube Plus” premium features, host APKs that bypass Android’s security restrictions on sideloading apps for devices running Android 13 and above.
Certain ClayRat variants function as droppers, where the visible app is a lightweight installer simulating a Play Store update. The actual malware payload remains encrypted inside the app’s assets. This session-based installation reduces perceived risk and increases the chances of successful spyware installation.
Capabilities and Threat Scope
After installation, ClayRat communicates via standard HTTP with its C2 server and requests to become the default SMS app. This allows it to secretly access messages, call logs, notifications, and further propagate malware. Additional capabilities include:
- Taking photos using the device camera
- Collecting detailed device information
- Sending the list of installed apps to the attacker’s server
- Making phone calls and sending SMS messages from the infected device
ClayRat is particularly dangerous due to its dual role: surveillance and automated distribution, turning infected devices into nodes that spread the malware without manual intervention.
Related Findings in African Smartphones
Recent research by the University of Luxembourg and Université Cheikh Anta Diop found that pre-installed apps on budget Android devices in Africa often have elevated privileges. Among 1,544 APKs examined from seven smartphones:
- 145 apps (9%) leaked sensitive data
- 249 apps (16%) exposed critical components without protection
- 226 apps executed privileged or dangerous commands
- 79 apps interacted with SMS messages (read, send, or delete)
- 33 apps silently installed additional apps
These findings highlight the broader risks of spyware and insecure pre-installed apps across Android ecosystems.
