ClayRat is an evolving Android spyware campaign distributed via Telegram channels and phishing sites that impersonate popular apps to trick Russian users into sideloading malicious APKs. Once installed and granted default SMS handler privileges, it exfiltrates SMS, call logs, notifications, device info, takes front-camera photos, sends SMS/calls, and self-propagates by messaging all contacts. #ClayRat #GdeDPS
Keypoints
- ClayRat is distributed through Telegram channels and phishing websites that impersonate legitimate services and apps (e.g., fake GdeDPS and YouTube Plus pages) to host or link malicious APKs.
- Over the past three months researchers observed more than 600 samples and 50 droppers, with continual additions of obfuscation and packing to evade detection.
- The spyware abuses Android’s default SMS handler role to bypass runtime permission prompts, gaining broad access to SMS content and messaging functions.
- ClayRat exfiltrates SMS, call logs, notifications, device information, can take front-camera photos, send SMS messages, and place calls from infected devices via remote C2 commands.
- Many samples act as droppers using session-based installation flows and fake Play Store update screens to bypass Android 13+ restrictions and hide encrypted payloads in app assets.
- The malware weaponizes infected devices by automatically sending socially engineered SMS messages (“Узнай первым! ”) to every contact, turning each device into a distribution hub.
- Zimperium’s on-device behavioral detection identified ClayRat variants early and shared findings with Google to help protect users via Google Play Protect.
MITRE Techniques
- [T1660 ] Phishing – Adversaries host external phishing sites to download malicious APKs. Quote: ‘Adversaries host external phishing sites to download malicious APKs’
- [T1624.001 ] Event Triggered Execution: Broadcast Receivers – The malware creates a broadcast receiver to receive SMS events and outgoing calls. Quote: ‘It creates a broadcast receiver to receive SMS events and outgoing calls’
- [T1655.001 ] Masquerading: Match Legitimate Name or Location – Malware payload is impersonating Google Play icon as an extension to blend in. Quote: ‘Malware payload is impersonating Google Play icon as an extension’
- [T1426 ] System Information Discovery – It collects device information such as device name and Android version. Quote: ‘It gets device info such as device name,Android version etc’
- [T1636.004 ] Protected User Data: SMS Messages – It exfiltrates user SMS messages and sends them to the server. Quote: ‘It exfiltrates user SMS messages and sends it to server’
- [T1636.002 ] Protected User Data: Call Log – Malware steals call logs from the device. Quote: ‘Malware steals call logs’
- [T1437.001 ] Application Layer Protocol: Web Protocols – Uses HTTP protocol to communicate with C2 servers. Quote: ‘Uses HTTP protocol to communicate with C&C servers.’
- [T1646 ] Exfiltration Over C2 Channel – Exfiltrated data is sent over the C2 channel to the operator. Quote: ‘Sending exfiltrated data over C&C server.’
- [T1582 ] SMS Control – The spyware can read SMS messages and act on them. Quote: ‘It can read SMS messages.’
- [T1616 ] Call Control – Threat actors can make calls from the victim’s device. Quote: ‘TAs can make call from victim’s device’
Indicators of Compromise
- [Domains ] Phishing and impersonation – examples include fake GdeDPS and YouTube Plus impersonation domains (e.g., domains hosting fake GdeDPS page, YouTube Plus page)
- [Telegram Channels ] Distribution hubs – observed channels such as @baikalmoscow used to host/link APKs and seed social proof
- [File Names / APKs ] Malicious installers and droppers – APKs masquerading as WhatsApp, Google Photos, TikTok, YouTube or fake Play Store update installers (examples: APKs labelled as YouTube Plus update, WhatsApp-like APK)
- [C2 markers ] Communication markers – Base64 payloads containing the marker string “apezdolskynet” and C2 servers labelled with the name “ClayRat”
- [Sample Counts ] Observed malware artifacts – more than 600 samples and 50+ droppers observed in three months (and additional packed/encrypted variants)
Read more: https://zimperium.com/blog/clayrat-a-new-android-spyware-targeting-russia