{"id":3168,"date":"2025-10-09T17:56:02","date_gmt":"2025-10-09T17:56:02","guid":{"rendered":"https:\/\/ft365.org\/index.php\/2025\/10\/09\/clayrat-spyware-campaign-targets-android-users-in-russia\/"},"modified":"2025-10-09T17:56:02","modified_gmt":"2025-10-09T17:56:02","slug":"clayrat-spyware-campaign-targets-android-users-in-russia","status":"publish","type":"post","link":"https:\/\/ft365.org\/index.php\/2025\/10\/09\/clayrat-spyware-campaign-targets-android-users-in-russia\/","title":{"rendered":"ClayRat Spyware Campaign Targets Android Users in Russia"},"content":{"rendered":"<div id=\"cphContent_pnlArticleBody\">\n<div id=\"layout-ac76faf5-3088-4a42-b620-b83b2fc7f6ff\" data-layout-id=\"2\" data-edit-folder-name=\"text\" data-index=\"0\">\n<p>A rapidly evolving Android spyware campaign known as \u201cClayRat\u201d has been discovered targeting Russian users through Telegram channels and phishing websites.<\/p>\n<p>The campaign, tracked by Zimperium\u00a0zLabs researchers, disguises itself as trusted apps such as WhatsApp, TikTok, Google Photos and YouTube to trick users into downloading malicious software.<\/p>\n<h2>A Fast-Growing Mobile Threat<\/h2>\n<p>Over the past three months, the researchers identified more than 600 distinct ClayRat samples and 50 droppers, each version introducing new obfuscation layers to evade security tools.<\/p>\n<p>Once installed, the spyware can exfiltrate call logs, SMS messages and notifications, take photos using the front camera and even send messages or place calls directly from the victim\u2019s phone.<\/p>\n<p>\u201cClayRat is a new Android spyware that hides inside fake apps that mimic popular apps such as TikTok, YouTube or Google Photos, and tricks users into giving it special permissions,\u201d\u00a0said Chrissa Constantine, senior cybersecurity solution architect at Black Duck..<\/p>\n<p>\u201cOnce installed, it can secretly read and send text messages, take photos, steal contact lists and call logs and spread itself.\u201d<\/p>\n<p>The spyware\u2019s operators employ a multifaceted strategy combining impersonation, deception and automation.<\/p>\n<p>Distribution occurs mainly through:<\/p>\n<ul>\n<li>\n<p>Phishing sites mimicking legitimate services like YouTube or Google Photos<\/p>\n<\/li>\n<li>\n<p>Telegram channels seeded with fake reviews and inflated download counts<\/p>\n<\/li>\n<li>\n<p>Step-by-step installation guides prompting users to bypass Android\u2019s built-in warnings<\/p>\n<\/li>\n<li>\n<p>Session-based installers posing as Play Store updates<\/p>\n<\/li>\n<\/ul>\n<p><em>Read more on Android spyware threats: Iranian Hackers Deploy New Android Spyware Version<\/em><\/p>\n<h2>Abuse of Android\u2019s SMS Handler Role<\/h2>\n<p>ClayRat\u2019s most concerning feature is its abuse of Android&#8217;s default SMS handler role. Once granted, this permission allows the malware to read, store and send text messages without alerting users.<\/p>\n<p>The spyware exploits this access to spread itself further, sending messages such as \u201cBe the first to know!\u201d\u00a0to every saved contact.<\/p>\n<p>\u201cOnce installed, ClayRat can steal SMS messages, call logs, notifications, device identifiers, and photos taken with the front camera,\u201d\u00a0said Jason Soroko, senior fellow at Sectigo.<\/p>\n<p>\u201cIt can also send SMS or place calls from the device.\u201d<\/p>\n<h2>Detection and Defense<\/h2>\n<p>Zimperium&#8217;s systems reportedly detected ClayRat variants as soon as they appeared, before public disclosures. The company said it shared its findings with Google, helping ensure protection through Google Play Protect.<\/p>\n<p>To protect against similar threats, Soroko explained:\u00a0\u201cSecurity teams should enforce a layered mobile security posture that reduces installation paths, detects compromise and limits blast radius.\u201d<\/p>\n<p>John Bambenek, president at Bambenek Consulting, added:\u00a0\u201cThe key protection for any mobile device user is to only install applications from authorized Play\/App stores, even if they get a message from an otherwise familiar contact.\u201d<\/p>\n<p>With over 600 observed samples and growing sophistication, ClayRat underscores the accelerating pace of mobile malware evolution and the need for proactive defenses.<\/p>\n<\/p><\/div>\n<p>Image\u00a0credit: JarTee \/ Shutterstock.com<\/p>\n<\/p><\/div>\n","protected":false},"excerpt":{"rendered":"<p>A rapidly evolving Android spyware campaign known as \u201cClayRat\u201d has been discovered targeting Russian users through Telegram channels and phishing websites. The campaign, tracked by Zimperium\u00a0zLabs researchers, disguises itself as trusted apps such as WhatsApp, TikTok, Google Photos and YouTube to trick users into downloading malicious software. A Fast-Growing Mobile Threat Over the past three<\/p>\n","protected":false},"author":2,"featured_media":3169,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[1],"tags":[],"class_list":["post-3168","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-uncategorized"],"featured_image_urls":{"full":["https:\/\/ft365.org\/wp-content\/uploads\/2025\/10\/3168-e7084158-a7cc-4edb-a825-6ad324be2039.jpg",300,300,false],"thumbnail":["https:\/\/ft365.org\/wp-content\/uploads\/2025\/10\/3168-e7084158-a7cc-4edb-a825-6ad324be2039-150x150.jpg",150,150,true],"medium":["https:\/\/ft365.org\/wp-content\/uploads\/2025\/10\/3168-e7084158-a7cc-4edb-a825-6ad324be2039.jpg",300,300,false],"medium_large":["https:\/\/ft365.org\/wp-content\/uploads\/2025\/10\/3168-e7084158-a7cc-4edb-a825-6ad324be2039.jpg",300,300,false],"large":["https:\/\/ft365.org\/wp-content\/uploads\/2025\/10\/3168-e7084158-a7cc-4edb-a825-6ad324be2039.jpg",300,300,false],"1536x1536":["https:\/\/ft365.org\/wp-content\/uploads\/2025\/10\/3168-e7084158-a7cc-4edb-a825-6ad324be2039.jpg",300,300,false],"2048x2048":["https:\/\/ft365.org\/wp-content\/uploads\/2025\/10\/3168-e7084158-a7cc-4edb-a825-6ad324be2039.jpg",300,300,false],"morenews-featured":["https:\/\/ft365.org\/wp-content\/uploads\/2025\/10\/3168-e7084158-a7cc-4edb-a825-6ad324be2039.jpg",300,300,false],"morenews-large":["https:\/\/ft365.org\/wp-content\/uploads\/2025\/10\/3168-e7084158-a7cc-4edb-a825-6ad324be2039.jpg",300,300,false],"morenews-medium":["https:\/\/ft365.org\/wp-content\/uploads\/2025\/10\/3168-e7084158-a7cc-4edb-a825-6ad324be2039.jpg",300,300,false],"crawlomatic_preview_image":["https:\/\/ft365.org\/wp-content\/uploads\/2025\/10\/3168-e7084158-a7cc-4edb-a825-6ad324be2039-146x146.jpg",146,146,true]},"author_info":{"display_name":"henry","author_link":"https:\/\/ft365.org\/index.php\/author\/henry\/"},"category_info":"<a href=\"https:\/\/ft365.org\/index.php\/category\/uncategorized\/\" rel=\"category tag\">Uncategorized<\/a>","tag_info":"Uncategorized","comment_count":"0","_links":{"self":[{"href":"https:\/\/ft365.org\/index.php\/wp-json\/wp\/v2\/posts\/3168","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/ft365.org\/index.php\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/ft365.org\/index.php\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/ft365.org\/index.php\/wp-json\/wp\/v2\/users\/2"}],"replies":[{"embeddable":true,"href":"https:\/\/ft365.org\/index.php\/wp-json\/wp\/v2\/comments?post=3168"}],"version-history":[{"count":0,"href":"https:\/\/ft365.org\/index.php\/wp-json\/wp\/v2\/posts\/3168\/revisions"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/ft365.org\/index.php\/wp-json\/wp\/v2\/media\/3169"}],"wp:attachment":[{"href":"https:\/\/ft365.org\/index.php\/wp-json\/wp\/v2\/media?parent=3168"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/ft365.org\/index.php\/wp-json\/wp\/v2\/categories?post=3168"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/ft365.org\/index.php\/wp-json\/wp\/v2\/tags?post=3168"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}