A fast-spreading Android spyware campaign named ClayRat is targeting Russian users through fake Telegram channels and phishing sites imitating popular apps like WhatsApp and YouTube.
Quick Summary – TLDR:
- ClayRat is Android spyware targeting Russian users via fake Telegram channels and phishing websites
- The malware impersonates apps like WhatsApp, TikTok, YouTube, and Google Photos
- Over 600 malware samples and 50 unique droppers were discovered in just three months
- ClayRat spreads by hijacking SMS permissions and turning infected phones into distribution hubs
What Happened?
Researchers at mobile security firm Zimperium uncovered a large-scale Android spyware campaign called ClayRat. The spyware uses a combination of Telegram channels, phishing websites, and fake APKs to trick users into downloading malware disguised as popular apps. Once installed, it abuses Android’s SMS handling permissions to spread further, capturing sensitive data and turning devices into part of its distribution chain.
THREAT ALERT 🚨
— Zimperium (@Zimperium) October 9, 2025
Our #zLabs team has been tracking ClayRat, a rapidly spreading Android spyware posing as popular apps.
Zimperium MTD and zDefend deliver protection against ClayRat and its variants.
Learn more: https://t.co/xcu5e5rJ58 pic.twitter.com/Xf9WoRN5Sv
ClayRat Malware Disguises as Popular Apps
The ClayRat spyware campaign is focused on deceiving users with convincing phishing sites and Telegram-hosted APK files that look like legitimate services such as WhatsApp, TikTok, Google Photos, and YouTube. These fake portals feature inflated download counts, fake user reviews, and even Play Store-like UX, complete with detailed sideloading instructions to bypass Android’s built-in warnings.
The malware samples have been evolving rapidly. Over 600 variants and 50 different droppers were found within just three months, each version adding new layers of obfuscation and encryption to avoid detection.
Abuses SMS Permissions for Stealth and Spread
Once installed, ClayRat requests to become the device’s default SMS handler, granting it the ability to:
- Read, send, and intercept SMS messages
- Modify SMS databases
- Harvest contact lists
- Silently send messages to all contacts
By sending socially engineered SMS messages (such as “Узнай первым! <link>”) to a victim’s entire contact list, each compromised device becomes a malware distribution node. This exponential spread means attackers can rapidly infect new users without needing to build new infrastructure.
Zimperium’s researchers noted, “Because these messages appear to come from a trusted source, recipients are far more likely to click the link, join the same Telegram channel, or visit the same phishing site.”
Powerful Spyware Capabilities
ClayRat’s newer variants use AES-GCM encryption for C2 (command-and-control) communication and support at least 12 different commands that enable extensive surveillance and control:
- Take photos using the front camera
- Send call logs and SMS to the server
- Place calls and send SMS remotely
- Capture notifications and device info
- Harvest installed app lists
- Use WebSocket proxy data for stealthy communications
Some samples even show fake update screens while silently decrypting and loading malicious payloads in the background.
Zimperium Flags the Threat, Google Responds
Zimperium, a member of the App Defense Alliance, shared indicators of compromise (IoCs) with Google. As a result, Google Play Protect now detects and blocks known ClayRat variants. However, the scale and sophistication of the campaign suggest it’s far from over.
SQ Magazine Takeaway
I think this ClayRat campaign is one of the more dangerous spyware efforts we’ve seen in recent months. Not just because it steals personal data, but because it turns your own phone into a trap for your friends and family. That’s what really sets it apart. It abuses the trust people place in their contacts to spread silently and fast. If you’re sideloading APKs or joining Telegram channels for unofficial app downloads, stop now. The stakes have changed.