A sophisticated Android spyware campaign dubbed ClayRat has emerged as one of the most concerning mobile threats of 2025, masquerading as popular applications including WhatsApp, Google Photos, TikTok, and YouTube to infiltrate devices and steal sensitive user data.<\/p>\n
The malware demonstrates remarkable adaptability and persistence, with threat actors continuously evolving their tactics to bypass security measures and expand their reach across targeted regions.<\/p>\n
ClayRat operates as a comprehensive surveillance tool<\/a> capable of exfiltrating SMS messages, call logs, device notifications, and personal information while maintaining covert access to infected devices.<\/p>\n The spyware\u2019s most alarming capability lies in its ability to capture photographs using the front-facing camera and weaponize the victim\u2019s contact list by automatically sending malicious links to every saved contact, effectively transforming each compromised device into a distribution hub for further infections.<\/p>\n The campaign has demonstrated explosive growth over recent months, with security researchers documenting over 600 malware<\/a> samples and 50 dropper variants within a three-month period.<\/p>\n Each iteration introduces new layers of obfuscation and packing techniques designed to evade detection systems, showcasing the operators\u2019 commitment to maintaining persistence against evolving security defenses<\/a>.<\/p>\n Zimperium analysts identified<\/a> the malware\u2019s sophisticated distribution network, which primarily leverages Telegram channels and carefully crafted phishing websites that closely mimic legitimate service pages.<\/p>\n The attackers have registered domains that impersonate well-known services, creating convincing landing pages that redirect victims to Telegram channels where malicious APK files are hosted with accompanying installation instructions designed to bypass Android\u2019s built-in security warnings.<\/p>\n ClayRat employs several sophisticated techniques to establish persistent<\/a> access on target devices, with its most effective strategy involving the abuse of Android\u2019s default SMS handler role.<\/p>\n This privileged system role grants the malware extensive access to messaging functions without triggering standard runtime permission prompts, allowing it to read, store, and forward text messages at scale while remaining largely undetected by users.<\/p>\n The spyware utilizes session-based installation methods specifically designed to circumvent Android 13\u2019s enhanced security restrictions.<\/p>\n Dropper variants present fake Google Play Store update screens to victims, displaying familiar installation interfaces while secretly deploying encrypted payloads stored within the application\u2019s assets.<\/p>\n This approach significantly reduces user suspicion and increases installation success rates by mimicking legitimate system update procedures.<\/p>\n Once successfully installed and granted SMS handler privileges, ClayRat immediately begins its surveillance operations by capturing photographs using the device\u2019s front-facing camera and uploading them to command-and-control servers.<\/p>\n The malware supports an extensive range of remote commands including application enumeration, call log exfiltration, notification theft, and unauthorized SMS transmission from the victim\u2019s device.<\/p>\n Communication with command-and-control infrastructure occurs through standard HTTP protocols, with the malware implementing Base64 encoding combined with marker strings such as \u201capezdolskynet\u201d to obfuscate traffic patterns.<\/p>\n Advanced variants employ AES-GCM encryption for secure communications while utilizing dynamic payload loading from encrypted assets to further complicate analysis and detection efforts.<\/p>\n The malware\u2019s self-propagation mechanism represents its most dangerous feature, automatically composing and transmitting malicious links to every contact in the victim\u2019s phonebook, creating an exponential infection pattern that exploits social trust relationships for rapid campaign expansion.<\/p>\n Follow us on\u00a0Google News<\/a>,\u00a0LinkedIn<\/a>,\u00a0and\u00a0X<\/a>\u00a0to Get More Instant Updates<\/strong>,\u00a0Set CSN as a Preferred Source in\u00a0Google<\/a>.<\/strong><\/p>\n The post New Android Malware ClayRat Mimic as WhatsApp, Google Photos to Attack Users<\/a> appeared first on Cyber Security News<\/a>.<\/p>\n<\/div>\n![\"\"](\"https:\/\/i0.wp.com\/blogger.googleusercontent.com\/img\/b\/R29vZ2xl\/AVvXsEjd5AJ0QARUBuryDs5fxBfx7qx9GOlHBRcBiiT9WfPaIKKU_wmnxyCJPn7jsIOFxmlA6kP_43d-za2HmYk_JVtj9GiWdobr_j7xtzc-PQPV4EHlUUyjbU6RR7KcyJD9532kmUh2w8HNGqzUjFklejKyNCe3U2cq3dzbgE8TFmGwG4cCBXQ8lViqjpoJwQU\/s16000\/Attackers%2520prompting%2520victims%2520to%2520join%2520Telegram%2520channel%2520%28Source%2520-%2520Zimperium%29.webp?ssl=1\")
![\"\"](\"https:\/\/i0.wp.com\/blogger.googleusercontent.com\/img\/b\/R29vZ2xl\/AVvXsEjk9Uo69PD3hDxcm-stgkHirDisiNGwQQLo9cfi9Sb-ShbbHHtS5VFr2nkNp1XJJCCM4UxbA66WFe6yDfFKsCLbawxThDrU0y8LMfKrSuFPj2nq7KQyyrWlaiODk0UJA1oxJU5ccVedUDxz6TBHBhJXfZgiJfFh6bByTM1SfyJaqJkGNJgFXw8APMkYwyc\/s16000\/Domain%2520hosted%2520online%2520impersonating%2520GdeDPS%2520%28Source%2520-%2520Zimperium%29.webp?ssl=1\")
Advanced Infection and Persistence Mechanisms<\/strong><\/h2>\n
![\"\"](\"https:\/\/i0.wp.com\/blogger.googleusercontent.com\/img\/b\/R29vZ2xl\/AVvXsEhpn-ikRQkWFuH389yFZPNhX8BnYgxlAD2vhIExqBzOfdxmc74AcRWnFLrWeGEqZ-w336Ik1uhoDA8VH-AsrvDhm4FVXjVSMsC19q8cqBsH9lyEIbJhD1S7Zzi_LRjgmKvoAulk0Yj-I1mPfVLJPPsWua33Wvp-3XOYy2STC_H6ZT3dJ8d0N3EP9lSUesM\/s16000\/Session%2520based%2520installation%2520used%2520by%2520the%2520malware%2520%28Source%2520-%2520Zimperium%29.webp?ssl=1\")