A new Android spyware known as ClayRat is being distributed by impersonating popular applications like WhatsApp, TikTok, and YouTube. The campaign primarily targets Russian users through deceptive Telegram channels and counterfeit websites designed to look authentic. Researchers from Zimperium have identified over 600 malware samples, indicating a large-scale and active operation.
The attackers use sophisticated phishing pages that mimic legitimate services, complete with fake user comments and download counts to appear trustworthy. These sites provide instructions for sideloading malicious APK files, often using a dropper that displays a fake update screen to hide its true intent. The malware employs a session-based installation technique to bypass modern Android security restrictions.
Once installed, ClayRat can seize extensive control, including becoming the default SMS handler to read, intercept, and modify messages. Its capabilities also include stealing call logs, taking photos, sending mass SMS messages, and capturing device notifications. All communication with the command-and-control server is encrypted. Despite Google Play Protect now blocking known variants, the campaign's scale and evolving tactics present a significant ongoing threat.
Read more...