A dangerous new Android spyware variant called ClayRat has emerged as a significant threat to mobile device security worldwide.<\/p>\n
First identified in October by the zLabs team, this malware represents a concerning evolution in mobile threats with capabilities that allow attackers to gain near-complete control over infected devices.<\/p>\n
The spyware demonstrates sophisticated techniques to steal sensitive personal data while remaining hidden from victims who might otherwise detect and remove it.<\/p>\n
ClayRat operates by mimicking legitimate applications, including popular platforms like YouTube and messaging apps, as well as localized services such as Russian taxi and parking applications.<\/p>\n
The malware primarily spreads through phishing websites, with over 25 fraudulent domains currently active, hosting malicious files.<\/p>\n
Additionally, cloud storage services like Dropbox have been observed distributing the malware, expanding its reach significantly.<\/p>\n
Researchers have already detected more than 700 unique APK files in an impressively short timeframe, indicating a large-scale distribution campaign.<\/p>\n
\nMalware impersonating youtube and local connection stabilizer (Source -Zimperium)<\/figcaption><\/figure>\n<\/div>\n
The malware enters devices through deceptive installation prompts that request permissions for SMS and accessibility features.<\/p>\n
Zimperium security analysts identified that ClayRat employs a sophisticated dropper technique to bypass Android security restrictions.<\/p>\n
The encrypted payload remains stored in the application\u2019s assets folder, using AES\/CBC decryption with embedded keys to unpack itself during runtime, making detection considerably more challenging for standard security measures.<\/p>\n
\nOpening assets folder and using AES \u2013 CBC for decryption (Source \u2013 Zimperium)<\/figcaption><\/figure>\n<\/div>\n
Once installed, ClayRat escalates its privileges by requesting users enable Accessibility Services alongside default SMS permissions.<\/p>\n
This combination of permissions creates a dangerous window for attackers to exploit the device comprehensively.<\/p>\n
Persistence Tactics Through Accessibility Service Abuse<\/strong><\/h2>\n
The new variant significantly expands its capabilities through aggressive misuse of Accessibility Services.<\/p>\n
After obtaining necessary permissions, the malware automatically disables the Play Store through automated screen clicks, removing Google Play Protect security protections without user knowledge.<\/p>\n
The spyware monitors all lock screen interactions, including button presses and pattern movements, reconstructing PIN codes, passwords, and patterns with remarkable accuracy.<\/p>\n
\nRequest for default SMS and accessibility permission (Source \u2013 Zimperium)<\/figcaption><\/figure>\n<\/div>\n
When victims enter their credentials, the malware captures this information in SharedPreferences under the key lock_password_storage.<\/p>\n
Using the stored credentials, the malware then executes an auto_unlock command that sends gestures to unlock the device automatically, completely removing the victim\u2019s ability to detect the infection through the lock screen.<\/p>\n
This technique ensures ClayRat maintains persistent access regardless of attempted device security measures.<\/p>\n
Additionally, the malware captures photographs using the device camera, records screen content through MediaProjection APIs, steals SMS messages and call logs, and creates fake notifications to intercept sensitive replies from users.<\/p>\n
![\"Malware](\"https:\/\/i0.wp.com\/blogger.googleusercontent.com\/img\/b\/R29vZ2xl\/AVvXsEjZhU2j3qiAsEbxKOqyiCNVH9GqMDYKAC_pZI3GSEp5YKoy0Z0TwvwIxYz_un7iH6SUI9h5URfwYyRUAxCAhF_blPsKP5kBZVJ58Gdg7KW1n7P5HK7JAEs-uhGN8dv4P5xGKOHcat3bKtDI0u_aWZeIXptXy-Yg6wVikLq0dn4OOCyqWBCQqhJiGVRwG2E\/s16000\/Malware%2520impersonating%2520youtube%2520and%2520local%2520connection%2520stabilizer%2520%28Source%2520-Zimperium%29.webp?ssl=1\")
![\"Opening](\"https:\/\/i0.wp.com\/blogger.googleusercontent.com\/img\/b\/R29vZ2xl\/AVvXsEiwcPb0USL4rzq_ju0FHOamwZlwRVlRv2nakc35YTGXPhACtZgdq8a6G6Pm5V3HzPGejWMtBBPkrRxIlvoziWOrV1Ddp7WiKYwRb7jSW0UkA4DAnfjuYeAz4vciR31ZbE86iRwAAUE0prwXo894s82XmCwn3rMXChJR1XmFuRqvd5Wvt2WrugneHXmQW9Y\/s16000\/Opening%2520assets%2520folder%2520and%2520using%2520AES%2520-%2520CBC%2520for%2520decryption%2520%28Source%2520-%2520Zimperium%29.webp?ssl=1\")
![\"Request](\"https:\/\/i0.wp.com\/blogger.googleusercontent.com\/img\/b\/R29vZ2xl\/AVvXsEg3iiNHsQtX8UZkN-P54LKawvGLPtwEK-4Y7vXYz36t34pu0UxbebcleXfsn-S-4KnGbWUwydDj2FUnmzlM0aXGCPoyFr_fIRsV6ttxKaMbsmdnBVTyUxMdVj-T0Xk2t7DuwyOhbwtk3Z4PlHoLYqOugJCBUFVI4MossGHu9rwHxz2Ay4QzpUpl4tR9i64\/s16000\/Request%2520for%2520default%2520SMS%2520and%2520accessibility%2520permission%2520%28Source%2520-%2520Zimperium%29.webp?ssl=1\")