Downloaded WhatsApp or TikTok? ClayRat is Already Sending Itself to All Your Contacts
Infected devices become unwilling accomplices in a malicious campaign.
Infected devices become unwilling accomplices in a malicious campaign.
The ClayRat spy campaign is rapidly evolving and increasingly targeting Android users. According to the company Zimperium, the malware is actively distributed among Russian users through fake websites and Telegram channels, disguising itself as popular applications like WhatsApp, TikTok, YouTube, and Google Photos. After installation, the malware gains access to a wide range of functions, including reading SMS and notifications, viewing the list of installed apps, taking photos with the front camera, and the ability to make calls and send messages.
The main feature of ClayRat is its aggressive self-propagation mechanism. The malware automatically sends malicious links to all of the victim's contacts, turning the infected device into an active distribution node. This allows the campaign's creators to rapidly scale the attack without human involvement. In the last 90 days, specialists have recorded at least 600 unique samples of the spyware and about 50 loaders. Each new version includes additional layers of obfuscation, allowing it to bypass security mechanisms.
The distribution starts with fake websites that redirect the victim to Telegram channels controlled by the attackers. There, users are prompted to download malicious APK files with supposedly high download ratings and positive reviews. The fake "YouTube Plus" with "premium features" deserves special attention; its installation is possible even on devices with Android 13 and higher—despite the platform's built-in restrictions.
Some versions of ClayRat masquerade as ordinary apps and serve only as installers. A fake Google Play update window is displayed on the screen, while the encrypted malicious code is hidden in the internal resources. This approach lowers the user's guard and increases the likelihood of a successful infection. After activation, the malware requests permission to be installed by default as the SMS application, giving it full access to messages and notifications.
ClayRat uses standard HTTP requests to communicate with its command-and-control infrastructure and can transmit detailed device information there. Its functions also include taking photos, sending the list of installed applications, and managing calls. The potential danger of the malware lies not only in its spying capabilities but also in its ability to turn an infected device into an automated distribution tool, making containment of the threat significantly more difficult.
According to Google, active versions of ClayRat are already being blocked on devices with Google Play services thanks to Play Protect. However, the attackers continue to adapt, and the threat remains relevant.
In parallel, researchers from the University of Luxembourg and Sheikh Anta Diop University have studied pre-installed applications on budget Android smartphones sold in Africa. Out of 1544 analyzed APK files, 145 leaked confidential data, 249 provided access to critical components without protection, and 226 executed commands with elevated privileges. This points to a systemic vulnerability in such devices and creates additional risks for users.
