Full Report
A rapidly evolving Android spyware campaign called ClayRat has targeted users in Russia using a mix of Telegram channels and lookalike phishing websites by impersonating popular apps like WhatsApp, Google Photos, TikTok, and YouTube as lures to install them. "Once active, the spyware can exfiltrate SMS messages, call logs, notifications, and device information; taking photos with the front
Analysis Summary
# Tool/Technique: ClayRat Spyware
## Overview
ClayRat is a rapidly evolving Android spyware campaign targeting users, particularly in Russia, by impersonating popular applications like WhatsApp, Google Photos, TikTok, and YouTube via phishing websites and Telegram channels to trick users into installing malicious APK files.
## Technical Details
- Type: Malware family (Spyware)
- Platform: Android
- Capabilities: Exfiltrate SMS, call logs, notifications, device information; capture photos via the front camera; send SMS messages; place calls; self-propagation via contact lists.
- First Seen: Prior to October 09, 2025 (actively evolving over the last 90 days).
## MITRE ATT&CK Mapping
*Note: Mappings are inferred based on stated capabilities.*
- **TA0003 - Persistence**
- T1548.002 - Abuse Elevation Control Mechanism (By requesting default SMS application status)
- **TA0010 - Exfiltration**
- T1041 - Exfiltration Over C2 Channel (Standard HTTP communication)
- **TA0005 - Defense Evasion**
- T1027 - Obfuscated Files or Information (Incorporates new layers of obfuscation)
- **TA0009 - Collection**
- T1119 - Automated Collection (Automated data exfiltration)
- T1056.001 - Input Capture: Keylogging (Implied by SMS and notification capture)
- T1082 - System Information Discovery (Gets device information)
## Functionality
### Core Capabilities
- **Data Collection:** Exfiltrates SMS messages, call logs, and device notifications.
- **Communication Hijacking:** Can send SMS messages and place phone calls directly from the infected device.
- **Surveillance:** Can take photos using the device's front camera.
- **Discovery:** Retrieves and sends a list of all installed applications to the C2 server.
- **C2 Communication:** Uses standard HTTP for communication with its command-and-control infrastructure.
### Advanced Features
- **Evasion Techniques:** Successive iterations incorporate new layers of obfuscation to evade detection.
- **Bypassing Restrictions:** Some samples act as droppers, displaying a fake Play Store update screen while the encrypted payload is hidden within the application's assets to bypass security protections on Android 13+ devices (preventing sideloading).
- **Automated Propagation:** Capable of sending malicious links to every contact in the victim's address book to rapidly spread the malware.
- **Privilege Escalation Prerequisite:** Requests the user to set the malware as the default SMS application to gain access to sensitive messaging functions.
## Indicators of Compromise
- File Hashes: Not specified in the text.
- File Names: Malicious APK files distributed via fake app lures (WhatsApp, TikTok, etc.).
- Registry Keys: Not applicable (Mobile platform).
- Network Indicators: Standard HTTP utilized for C2 communication. The C2 panel name is referenced as "ClayRat."
- Behavioral Indicators: Attempts to gain default SMS application status; displays a fake Play Store update screen; contacts the entire address book with malicious links.
## Associated Threat Actors
- Threat actors operating the ClayRat campaign (No specific group name provided, only references to the C2 panel name).
## Detection Methods
- Signature-based detection: Google Play Protect safeguards against *known* versions of the malware.
- Behavioral detection: Monitoring for attempts to set the app as the default SMS handler or unauthorized access/exfiltration of SMS/call logs.
- YARA rules: Not specified in the text.
## Mitigation Strategies
- Ensure Google Play Protect is enabled (for devices with Google Play Services).
- Be cautious of downloading APKs from non-official sources, especially those promoted via social media channels (Telegram) or fake websites impersonating popular apps.
- Do not grant applications default permission status (like default SMS handler) unless necessary and verified.
- Security measures on Android 13+ help prevent sideloading, though sophisticated droppers can still bypass checks.
## Related Tools/Techniques
- Other Android Trojans that might utilize similar delivery or evasion tactics (e.g., DatZBro mentioned in the context of security bypasses).
- Techniques related to social engineering and phishing to deliver malware via fake updates or popular app facades.