Android users beware: 'ClayRat' spyware poses as WhatsApp and TikTok to steal data and spread

Mobile security researchers have issued an urgent warning about a rapidly evolving Android spyware campaign that is actively impersonating popular apps like WhatsApp, TikTok, YouTube, and Google Photos to trick users into downloading malicious software.

The campaign, dubbed ClayRat, is particularly dangerous due to its sophisticated social engineering tactics and its ability to aggressively self-propagate by turning infected devices into distribution hubs.

A wolf in app clothing

According to a report from Zimperium zLabs, ClayRat is primarily targeting Android users in Russia. The malware is distributed through two main vectors: dedicated Telegram channels and phishing websites that closely mimic the appearance of legitimate service pages.

Once installed, ClayRat immediately seeks to exploit a crucial Android permission: the default SMS handler role.

By gaining this permission, the spyware can bypass standard individual app permission prompts, granting it broad and silent access to the device's messaging functions and sensitive data.

Extensive surveillance and rapid spread

ClayRat operates as an advanced Remote Access Trojan (RAT) with extensive spying capabilities. Once active, it can secretly:

• Exfiltrate SMS messages and call logs: Read and steal all incoming and stored text messages, as well as call history.

• Capture notifications: Monitor and upload all device notifications to its command-and-control (C2) server.

• Take photos: Secretly snap photos using the device's front-facing camera.

• Obtain device information: Steal data such as device identifiers and a list of all installed applications.

Perhaps the most alarming feature of ClayRat is its ability to weaponize the victim's contact list. After gaining SMS access, the malware automatically composes and sends a socially engineered message to every contact in the user's phonebook.

Because the message appears to come from a trusted friend or family member, recipients are far more likely to click the attached link and install the spyware themselves, leading to exponential, automated growth of the campaign.

Researchers note that the threat actors behind the attack are highly active, with over 600 distinct ClayRat samples and 50 different "droppers" observed in the last three months alone, each incorporating new obfuscation techniques to evade detection.

Protection and prevention

Security experts urge all Android users to be extremely cautious and follow these best practices to protect their devices:

Only download from trusted sources: Never install apps from unknown sources, such as links in unsolicited text messages, Telegram channels, or random websites. Only download applications from the official Google Play Store.

• Verify app permissions: Be skeptical of any app, especially a new one, that requests to be set as the "default SMS handler" or demands excessive permissions upon installation.

• Use Google Play Protect: Ensure Google Play Protect is enabled on your device, as it automatically safeguards users against known versions of the malware.

• Practice vigilance: Be highly suspicious of any messages, even from known contacts, that contain an unexpected link and urge you to click it. Verify with the sender through a different communication channel before interacting with the link.