Android spyware alert graphic: cracked phone screen with ClayRat bat icon spreading from fake WhatsApp/TikTok apps, data streams (SMS, photos, contacts) flowing to hacker server; Russia map highlight, Zimperium shield blocking threats, and warning for 600

Zimperium researchers have uncovered ClayRat, an evolving Android spyware campaign hitting Russia via phishing sites and Telegram channels impersonating WhatsApp, TikTok, Google Photos, and YouTube. Over 90 days, 600 samples and 50 droppers were detected, each adding obfuscation to evade defenses. The malware, named after its C2 panel, exfiltrates SMS, call logs, notifications, and device info; snaps front-camera photos; and enables calls/SMS from the victim's device.

Android spyware alert graphic: cracked phone screen with ClayRat bat icon spreading from fake WhatsApp/TikTok apps, data streams (SMS, photos, contacts) flowing to hacker server; Russia map highlight, Zimperium shield blocking threats, and warning for 600Android spyware alert graphic: cracked phone screen with ClayRat bat icon spreading from fake WhatsApp/TikTok apps, data streams (SMS, photos, contacts) flowing to hacker server; Russia map highlight, Zimperium shield blocking threats, and warning for 600

The attack redirects users to bogus sites with inflated download counts and fake testimonials, or "YouTube Plus" pages bypassing Android 13+ sideloading restrictions. Droppers mimic Play Store updates to install encrypted payloads session-based, reducing suspicion. Once active, ClayRat requests default SMS app status for full access, then uses HTTP to C2 for commands like listing apps or capturing data.

Android spyware alert graphic: cracked phone screen with ClayRat bat icon spreading from fake WhatsApp/TikTok apps, data streams (SMS, photos, contacts) flowing to hacker server; Russia map highlight, Zimperium shield blocking threats, and warning for 600Android spyware alert graphic: cracked phone screen with ClayRat bat icon spreading from fake WhatsApp/TikTok apps, data streams (SMS, photos, contacts) flowing to hacker server; Russia map highlight, Zimperium shield blocking threats, and warning for 600

ClayRat aggressively propagates by auto-sending malicious links to all contacts, turning infected devices into distribution nodes for rapid spread. This surveillance tool poses severe privacy risks, especially for enterprises. A related University of Luxembourg study found 9% of pre-installed apps on African budget Android phones leak sensitive data, with 16% exposing critical components unsafely, highlighting global mobile threats.


NPAV offers a robust solution to combat cyber fraud. Protect yourself with our top-tier security product, FraudProtector.net