ClayRat: A Rapidly Evolving Android Spyware Campaign Exploiting Popular App Impersonations

Cybersecurity researchers have uncovered a sophisticated Android spyware campaign known as ClayRat, which has been actively targeting users in Russia through phishing websites and Telegram channels. By disguising itself as popular apps such as WhatsApp, Google Photos, TikTok, and YouTube, the malware tricks users into downloading trojanized APK files that secretly install spyware.

The campaign represents a growing trend in mobile malware distribution, where attackers use social engineering and app impersonation to bypass security controls and spread rapidly.

Infection Tactics and Distribution

According to Zimperium researcher Vishnu Pratapagiri, ClayRat uses an array of phishing sites and Telegram-based delivery mechanisms to distribute malicious applications. Once installed, the spyware can:

• Exfiltrate SMS messages, call logs, notifications, and device data.

• Take photos using the front camera.

• Send SMS messages or place calls directly from the infected device.

More concerningly, ClayRat propagates itself by sending malicious links to every contact in the victim’s address book — turning infected phones into automated distribution nodes that expand the campaign’s reach without manual attacker intervention.

Zimperium identified over 600 malware samples and 50 droppers in the past 90 days, with each version using advanced code obfuscation techniques to avoid detection.

Technical Breakdown of the Attack Chain

The infection chain typically begins when a user visits a lookalike phishing site, which redirects them to a Telegram channel operated by the attackers. From there, they are prompted to download fake APKs, sometimes labeled with enticing names like “YouTube Plus” or “Google Photos Premium.”

These trojanized apps bypass Android’s sideloading protections—especially those introduced in Android 13—by presenting users with a fake Play Store update screen that hides an encrypted payload.

Once active, ClayRat:

• Communicates with its command-and-control (C2) servers over HTTP.

• Requests permission to become the default SMS app, granting it full access to communications.

• Captures and transmits sensitive data such as messages, photos, call logs, and installed apps.

Broader Security Implications

ClayRat’s design demonstrates a dual threat: covert surveillance and self-propagation. The malware not only spies on users but also leverages them to infect others, creating a chain-reaction effect across mobile ecosystems.

Google has responded, stating that Google Play Protect—enabled by default on most Android devices—detects and blocks known versions of ClayRat. However, users who sideload apps from outside the Play Store remain vulnerable.

Related Research: Broader Mobile Privacy Concerns

The discovery coincides with a separate academic study from the University of Luxembourg and Université Cheikh Anta Diop, which revealed that many budget Android smartphones in Africa come preloaded with apps that leak sensitive data.
Researchers found that 9% of analyzed apps disclosed personal information, and 16% exposed critical components without sufficient safeguards—highlighting the persistent privacy risks in the Android ecosystem.

Conclusion

The ClayRat campaign illustrates how mobile attackers continue to evolve, using social engineering, obfuscation, and automation to outpace traditional defenses. Android users should avoid downloading apps from unofficial sources, enable Google Play Protect, and monitor device permissions to mitigate risks from emerging threats like ClayRat.