ClayRat is new Android spyware disguised as popular apps like WhatsApp and TikTok. It steals data and spreads through infected devices.
Researchers uncovered ClayRat, a sophisticated Android spyware campaign that tricks victims by posing as well-known apps (WhatsApp, Google Photos, TikTok, YouTube, etc.). Once installed, ClayRat quietly exfiltrates sensitive data — SMS messages, call logs, device notifications, and even front-camera photos — sending it back to remote attackers. It then uses the victim’s own contact list to further spread the infection, automatically sending malicious links to every saved contact. This malware has evolved rapidly: analysts have cataloged over 600 unique ClayRat samples (and around 50 different installer “dropper” variants) in just three months, each new version adding layers of obfuscation to evade detection.
How ClayRat Spreads: Social Engineering & Phishing
ClayRat’s operators rely on social engineering to reach victims. They set up convincing fake websites and Telegram channels that mimic trusted services. For example, a research report found a bogus landing page impersonating a legitimate service (“GdeDPS”) designed to lure users into downloading the spyware. Victims are prompted to join a Telegram channel where the ClayRat APK is hosted, often accompanied by step-by-step instructions to bypass Android’s security warnings. The attackers even seed these channels with fake user comments and inflated download counts to give the page a sense of legitimacy. These polished phishing pages and social cues help the malware spread: once a link is clicked, users are guided through a seemingly normal install process (often a “Google Play update” screen) while the spyware quietly installs on their device.
Security analysts note that ClayRat’s campaign is highly coordinated and Telegram-centric. The attackers maintain multiple Telegram channels (for example, a channel named “@baikalmoscow” was observed distributing ClayRat samples) and use these platforms to disseminate malware links. By leveraging these instant-messaging networks and polished phishing sites, the campaign can reach users who are outside the protections of official app stores. In short, any Android user who downloads apps from unverified sources or clicks on suspicious links could be at risk of infection.
Key ClayRat Tactics
Security researchers summarize ClayRat’s approach with four main tactics :
- App Impersonation: Creating polished phishing pages that mimic popular apps and services.
- Social Distribution: Sharing the malware through Telegram channels, complete with staged comments and download counts to build trust.
- Deceptive Installation: Using fake “update” or “install” interfaces (session-based installers) to bypass Android’s security prompts.
- Self-Propagation: Automatically sending the malicious link to all contacts in an infected device, turning each victim into a new distribution point.
These combined tactics explain the campaign’s rapid growth and its effectiveness at targeting non-technical users.
Spyware Capabilities: Data Theft and Self-Propagation
Once ClayRat is installed and given the necessary permissions, it acts as a comprehensive surveillance tool. The malware can read and forward SMS messages, intercept call logs and notifications, and gather detailed device information. It even has the ability to snap photos using the phone’s front-facing camera without alerting the user. In some cases ClayRat can send SMS messages or place phone calls directly from the victim’s device as well. All of this stolen data is sent to the attackers’ command-and-control servers for analysis.
ClayRat’s self-propagation is especially dangerous. As soon as the malware is running, it automatically composes and sends a tailored message (often in the local language) to every contact in the phonebook. Because these messages appear to come from a trusted acquaintance, recipients are far more likely to click on the link. In this way, every infected device becomes a springboard for new infections. This social-spread mechanism can lead to an exponential infection pattern, helping ClayRat reach a large number of victims very quickly.
Technical Evasion and Persistence
ClayRat is built to stay hidden. Many variants act as “droppers”: the visible app is just a lightweight installer that displays a fake Google Play or system update screen, while the real, encrypted malware payload is concealed inside the app’s assets. This session-based installation flow tricks users into thinking they are performing a normal update. Once granted permissions, the actual spyware is unpacked and activated without any obvious warning signs.
The malware also abuses Android’s default SMS handler role to avoid triggering multiple prompts. By convincing victims to set ClayRat as their default SMS app, it automatically gains broad messaging privileges. This lets the spyware read all incoming and stored texts, intercept messages, and send new SMS silently, all under the guise of normal functionality. In practice, this means ClayRat can operate almost entirely in the background: it can read and forward text messages or notifications without showing additional permission dialogs.
To further evade analysis, ClayRat’s network traffic is obfuscated (for example, by encoding data with marker strings) and some variants even use strong encryption (AES-GCM) when contacting their C2 servers. In combination, these tactics make ClayRat very difficult for casual users or simple security tools to detect. The rapid pace of change (hundreds of new samples in months ) also means signature-based defenses often lag behind.
Defense and Prevention
Protecting against ClayRat largely means maintaining vigilance and using Android’s built-in safeguards. Google has stated that Play Protect (the built-in Android anti-malware service) will automatically block known ClayRat variants on devices with Google Play Services. However, given how quickly new samples appear, it’s important for users to be cautious. Recommendations include:
- Install apps only from official sources. Avoid downloading APKs from third-party sites or Telegram links unless you completely trust the source.
- Scrutinize app requests. If an app suddenly asks to become your default SMS handler or requires unnecessary permissions, be wary. Legitimate apps rarely need unusual privileges without clear reasons.
- Keep software up to date. Install Android security updates as soon as they’re available. Newer Android versions include stronger defenses against sideloaded apps.
- Use security software. Reputable mobile security apps can detect suspicious behavior and warn you of phishing sites or malicious downloads.
Ultimately, user caution is the final line of defense. Any unexpected prompt to install a “premium” or “updated” version of an app — especially outside of the official Play Store — should be treated as suspect.
