New ClayRat Spyware Targets Android Users via Fake WhatsApp and TikTok Apps

Steven

New ClayRat Spyware Targets Android Users via Fake WhatsApp and TikTok Apps

Summary

Security researchers have uncovered a rapidly evolving Android spyware campaign dubbed “ClayRat” that targets users (notably in Russia) by luring them with lookalike apps for WhatsApp, TikTok, Google Photos and YouTube. Attackers push victims to Telegram channels and bogus websites that host APK droppers or installers which then deploy an encrypted payload. Once active, ClayRat can exfiltrate SMS, call logs, notifications and device info, take photos with the front camera, make calls and send SMS messages — and it aggressively propagates by messaging every contact in the victim’s address book.

Zimperium reported at least 600 samples and 50 distinct droppers in the past 90 days, with successive variants adding obfuscation to evade detection. The malware commonly uses a lightweight visible installer that shows fake Play Store update screens while unpacking an encrypted payload, and it communicates with its command-and-control servers over HTTP. Some samples also request to become the default SMS app to gain deeper access to messages and message-related actions.

Key Points

  • ClayRat masquerades as popular apps (WhatsApp, TikTok, Google Photos, YouTube) to trick users into sideloading APKs.
  • Distribution relies heavily on adversary-controlled Telegram channels and lookalike phishing websites with fake download counts and testimonials.
  • Attackers use droppers: a visible installer displays a bogus update while an encrypted spyware payload is hidden in app assets.
  • Capabilities include exfiltrating SMS, call logs, notifications and installed apps list; taking front-camera photos; placing calls and sending SMS messages.
  • The malware self-propagates by sending malicious links to every contact, turning infected devices into automated distribution nodes.
  • Zimperium detected ~600 samples and ~50 droppers over 90 days; variants increase obfuscation to avoid detection.
  • ClayRat communicates over HTTP to C2 servers and may request default SMS-app status to access messages covertly.
  • Google Play Protect protects against known variants, but the campaign exploits sideloading and installer tricks to bypass platform friction.
  • Practical advice: avoid sideloading, verify app sources, review permissions (especially SMS/default apps), keep Play Protect active and patch devices promptly.

Why should I read this?

Short version: if you use an Android phone (or look after mobile security), this one matters. ClayRat doesn’t just spy — it turns your compromised handset into a spammy courier for more infections. The tricks are basic but effective: fake apps, fake testimonials, and a sneaky installer flow that lowers suspicion. Read it so you don’t accidentally install the next fake WhatsApp or YouTube Plus and end up propagating the mess to your contacts.

Source

Source: https://thehackernews.com/2025/10/new-clayrat-spyware-targets-android.html