ClayRat Android Spyware Distributed via Fake Messaging and Social Media Apps
A sophisticated Android spyware campaign known as ClayRat has been identified targeting users in Russia by masquerading as popular applications such as WhatsApp, Google Photos, TikTok, and YouTube. Attackers employ a combination of phishing websites and Telegram channels to lure victims into downloading malicious APK files, often by imitating official app pages and inflating download statistics with fake testimonials. Once installed, ClayRat grants attackers extensive control over the infected device, enabling them to exfiltrate sensitive data including SMS messages, call logs, device information, and notifications. The spyware can also covertly take photos using the device’s front camera and initiate calls or send SMS messages without user consent. Researchers from Zimperium’s zLabs have observed that the malware propagates aggressively by sending malicious links to every contact in the victim’s phone book, leveraging compromised devices as distribution vectors. Over a three-month period, more than 600 unique samples and 50 dropper variants have been detected, with each iteration incorporating new obfuscation techniques to evade security defenses. Some versions of ClayRat act as droppers, presenting a fake Play Store update screen while installing the actual encrypted payload in the background. The campaign exploits Android’s default SMS handler role to bypass platform restrictions and facilitate rapid spread. In certain cases, fake websites offer a counterfeit “YouTube Plus” app with purported premium features, further enticing users to sideload the malware. The attackers’ use of Telegram channels, such as @baikalmoscow, as distribution hubs is notable for its effectiveness in social engineering. The campaign’s rapid evolution and high volume of unique samples indicate a well-resourced and persistent threat actor. Security researchers emphasize the importance of user vigilance, as the malware’s ability to bypass Google’s sideloading protections on Android 13 and later poses a significant risk. The campaign’s focus on Russian users suggests a degree of regional targeting, though the techniques employed could be adapted for broader attacks. The use of fake positive feedback and inflated download numbers on Telegram channels is designed to build trust and lower user skepticism. The technical sophistication of ClayRat, including its modular dropper architecture and obfuscation layers, presents challenges for traditional mobile security solutions. Organizations and individuals are advised to avoid downloading APKs from unofficial sources and to monitor for unusual device behavior. The ongoing development and distribution of ClayRat underscore the evolving threat landscape facing Android users, particularly in regions where sideloading is more common.
Get ahead of threats like this
Mallory correlates global threat intelligence with your attack surface — know if you’re exposed before adversaries strike.
How this story unfolded
3 events from the most recent confirmed update back to the earliest known activity.
Zimperium publicly discloses the ClayRat spyware campaign
Zimperium researchers publicly reported the ClayRat Android spyware campaign, detailing its fake-app lures, Telegram and phishing-based distribution, self-propagation via SMS, and broad surveillance capabilities. Multiple security news outlets covered the disclosure the same day, marking the campaign's wider public exposure.
ClayRat evolves into a self-propagating Android spyware operation
During the following three months, ClayRat spread through more than 600 identified samples and over 50 droppers, with infected devices abused as the default SMS handler to send malicious links to all contacts. Researchers also observed obfuscation, packing, HTTP-based C2 communications, and some variants using AES-GCM encryption for C2 traffic while enabling data theft and remote command execution.
ClayRat campaign begins targeting Russian Android users
A spyware campaign dubbed ClayRat began targeting Android users in Russia through fake Telegram channels and phishing sites impersonating popular apps such as WhatsApp, TikTok, YouTube, and Google Photos. The malware relied on social engineering, fake reviews, and inflated download statistics to lure victims into installing malicious APKs.
Related entities
Vulnerabilities, threat actors, malware, products, organizations, and breaches Mallory has linked to this story.
Sources
7 references tracked. Mallory keeps watching after this page renders.
Russian spyware ClayRat is spreading, evolving quickly, according to Zimperium
cyberscoop.com
Open sourcePopular apps spoofed to deploy novel ClayRat Android spyware
scworld.com
Open sourceClayRat spyware turns phones into distribution hubs via SMS and Telegram
csoonline.com
Open sourceClayRat campaign uses Telegram and phishing sites to distribute Android spyware
securityaffairs.com
Open sourceNew ClayRat Spyware Targets Android Users via Fake WhatsApp and TikTok Apps
thehackernews.com
Open sourceFake TikTok and WhatsApp Apps Infect Android Devices with ClayRat Spyware
hackread.com
Open sourceNew Android spyware ClayRat imitates WhatsApp, TikTok, YouTube
bleepingcomputer.com
Open sourceSee the full picture, correlated to your attack surface.
Map indicators from this story to your assets and identify affected systems in minutes.
Every observed campaign, victim, and pivot linked to actors named in this story.
Malware, exploits, and IOCs connected to the activity described here.
YARA, Sigma, and Snort rules deployed to your SIEM as soon as they’re published.
Get matching new stories delivered to your team as they break — not the next morning.
Ask questions about this story and take action on the answers.
Related stories
Other stories Mallory is tracking that overlap on entities, sources, or topic labels.
ClayRat Android Spyware Variant Gains Full Device Control via Accessibility Abuse
A new variant of the ClayRat Android spyware has emerged, significantly enhancing its capabilities to seize full control of infected devices. Security researchers at Zimperium have detailed how this updated version now abuses Android's Accessibility Services in addition to requesting Default SMS privileges, enabling the malware to record lock screen credentials, capture screen activity, and automatically unlock devices. The spyware can also overlay fake system update screens, block user actions, disable Google Play Protect, and intercept sensitive information through custom notifications, making it much harder for victims to detect or remove the threat. ClayRat continues to disguise itself as popular apps and local services, particularly targeting users in Russia, and is distributed through phishing sites and platforms like Dropbox. Over 700 unique malicious APKs have been identified, with the malware leveraging more than 25 fraudulent phishing domains to reach victims. The combination of advanced device control, sophisticated evasion techniques, and widespread distribution channels marks this ClayRat variant as a major escalation in Android spyware threats.
Mar 21, 2026
Active Spyware Campaigns Targeting Mobile Messaging Apps and Android Devices
The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has issued an alert regarding a surge in sophisticated spyware campaigns targeting users of popular mobile messaging applications such as Signal, WhatsApp, and Telegram. Threat actors are leveraging commercial spyware and remote access trojans (RATs), employing tactics like social engineering, device-linking QR codes, zero-click exploits, and spoofed app versions to compromise high-value individuals, including government officials. Notable campaigns include the use of Android spyware like ProSpy, ToSpy, and ClayRat, as well as the exploitation of vulnerabilities in iOS, WhatsApp, and Samsung devices to deploy malware such as LANDFALL, with the goal of persistent access and data exfiltration. In a related development, researchers at Certo Software have identified a new Android RAT dubbed RadzaRat, which masquerades as a legitimate file manager app. RadzaRat provides attackers with full remote control over infected devices, supports large-scale file transfers, and features keylogging capabilities to steal sensitive information. Alarmingly, RadzaRat is currently undetectable by all major antivirus solutions and is openly available for download, increasing the risk of widespread abuse. These findings underscore the growing threat posed by advanced spyware and RATs targeting mobile platforms, often bypassing traditional security defenses and exploiting user trust in legitimate-looking applications.
Mar 21, 2026
Android Malware Leveraging Legitimate Apps for Surveillance and Theft
Threat actors have increasingly adopted sophisticated techniques to distribute Android malware by disguising malicious applications as legitimate ones on the Google Play Store and other platforms. Notably, the new Cellik Android RAT has been identified as turning legitimate Google Play apps into surveillance tools, enabling attackers to covertly monitor and exfiltrate sensitive user data. In parallel, operations involving the Wonderland SMS stealer have merged dropper, SMS theft, and RAT capabilities at scale, with attackers using fake Google Play Store pages, ad campaigns, and messaging apps to propagate malware, particularly targeting users in Uzbekistan. These campaigns often leverage Telegram for coordination and distribution, and employ advanced methods such as intercepting OTPs and exfiltrating contact lists to facilitate financial theft and evade detection. The evolution of Android malware now includes the use of droppers that appear harmless but deploy malicious payloads locally after installation, even without an active internet connection. The Wonderland malware, attributed to the TrickyWonders group, demonstrates bidirectional command-and-control communication, allowing real-time execution of commands and theft of SMS messages. The convergence of these techniques highlights a growing trend in mobile threat operations, where attackers exploit the trust in legitimate app platforms and social engineering to compromise devices, steal credentials, and siphon funds from victims' bank accounts.
Mar 21, 2026