Home > Security > Security News

ClayRat Spyware Campaign Targets Android Users via Telegram and Fake WhatsApp, TikTok, YouTube Sites

Published
Written by:
Lore Apostol
Lore Apostol
Cybersecurity Writer
Phone - Clay Rat

A rapidly expanding Android spyware campaign known as ClayRat propagates malware through a highly organized combination of social engineering and web-based deception. Attackers leverage channels on popular messaging apps and carefully crafted phishing sites that mimic legitimate services to trick users into downloading and installing malicious APKs. 

Extensive Surveillance Capabilities

An Android spyware campaign utilizes Telegram channels and phishing websites that impersonate popular applications, including WhatsApp, TikTok, Google Photos, and YouTube. To enhance credibility, these channels often feature fake user testimonials and inflated download counts, according to recent research by Zimperium. 

Researchers warn that ClayRat is expanding at an alarming rate, with more than 600 samples and 50 droppers having been observed in the past three months alone, “each iteration adding new layers of obfuscation and packing to evade detection.”

Spyware hosted on phishing site impersonating YouTube Plus
Spyware hosted on phishing site impersonating YouTube Plus | Source: Zimperium

Once installed on a device, the ClayRat spyware possesses extensive surveillance capabilities and can: 

This deep level of access turns a personal device into a comprehensive surveillance tool.

Session-based installation used by the malware
Session-based installation used by the malware | Source: Zimperium

Some variants of the spyware act as droppers, presenting a fake Google Play update screen while a hidden, encrypted payload is installed, bypassing Android 13's security restrictions.

ClayRat demonstrates how attackers are evolving faster than ever, combining social engineering, self-propagation, and system abuse to maximize reach,” said Shridhar Mittal, CEO of Zimperium. 

Self-Propagation and Mobile Security Threats

One of ClayRat's most potent features is its self-propagation mechanism. By gaining permissions as the default SMS handler, the malware can send malicious links to every contact stored on the victim’s phone. 

This technique effectively weaponizes the victim's social network, turning each infected device into an automated distribution node and fueling the campaign's exponential growth. 

The abuse of the SMS handler role represents one of the significant mobile security threats posed by this malware, as it consolidates powerful permissions into a single authorization step, bypassing many standard user-facing security warnings.

Besides remaining wary as an end user, Chrissa Constantine, Senior Cybersecurity Solution Architect at Black Duck, recommends organisations to train and educate employees to avoid falling prey to social engineering and “ensure that employees understand the importance of not loading apps from untrusted sources, especially on work devices.”

A layered mobile security posture that reduces installation paths, detects compromise, and limits blast radius is recommended by Sectigo’s Jason Soroko. “Teams should also block sideloading through Android Enterprise policy and allow only managed Google Play installs and monitor for any change to the default SMS app, then block or alert on unauthorized handlers.

This type of RAT technology can also be used to “engage in even more sophisticated impersonation attacks,” warns Bambenek Consulting President John Bambenek.

A few months ago, Android malware used energy subsidy promises in India to steal financial data, and a Telegram APK campaign exploited fake domains and Android vulnerabilities.

Add a Comment
Related
Map - Laptop - Lock - Files
Invoicely Database Exposure Leaks 180,000 Files Containing Sensitive User Data
Robot - Cityscape - Buildings
API Security Lags as AI Adoption Accelerates, Report Finds
FBI - China Flag - Police - Laptops
FBI Probes Alleged Chinese Hacking of US Law Firms, Including Williams & Connolly
Ransom - Discord - Data Leak - Hacker
Discord Zendesk Breach Escalates with Extortion and Data Leaks
Corporate Executives - AI
AI Progress Hits Pause: Security Gaps Force Firms to Rethink Adoption
Developer - Coding - AI - Sad Robot
Too Fast, Too Vulnerable: DevSecOps Teams Struggle to Keep Code Secure
Most Popular
Map - Laptop - Lock - Files
Invoicely Database Exposure Leaks 180,000 Files Containing Sensitive User Data
Robot - Cityscape - Buildings
API Security Lags as AI Adoption Accelerates, Report Finds
FBI - China Flag - Police - Laptops
FBI Probes Alleged Chinese Hacking of US Law Firms, Including Williams & Connolly
Ransom - Discord - Data Leak - Hacker
Discord Zendesk Breach Escalates with Extortion and Data Leaks
Corporate Executives - AI
AI Progress Hits Pause: Security Gaps Force Firms to Rethink Adoption
Developer - Coding - AI - Sad Robot
Too Fast, Too Vulnerable: DevSecOps Teams Struggle to Keep Code Secure
Invoicely Database Exposure Leaks 180,000 Files Containing Sensitive User Data
API Security Lags as AI Adoption Accelerates, Report Finds
FBI Probes Alleged Chinese Hacking of US Law Firms, Including Williams & Connolly
Discord Zendesk Breach Escalates with Extortion and Data Leaks
AI Progress Hits Pause: Security Gaps Force Firms to Rethink Adoption
Too Fast, Too Vulnerable: DevSecOps Teams Struggle to Keep Code Secure

Most Popular
Map - Laptop - Lock - Files
Invoicely Database Exposure Leaks 180,000 Files Containing Sensitive User Data
Robot - Cityscape - Buildings
API Security Lags as AI Adoption Accelerates, Report Finds
FBI - China Flag - Police - Laptops
FBI Probes Alleged Chinese Hacking of US Law Firms, Including Williams & Connolly
Ransom - Discord - Data Leak - Hacker
Discord Zendesk Breach Escalates with Extortion and Data Leaks
Corporate Executives - AI
AI Progress Hits Pause: Security Gaps Force Firms to Rethink Adoption
Developer - Coding - AI - Sad Robot
Too Fast, Too Vulnerable: DevSecOps Teams Struggle to Keep Code Secure
Invoicely Database Exposure Leaks 180,000 Files Containing Sensitive User Data
API Security Lags as AI Adoption Accelerates, Report Finds
FBI Probes Alleged Chinese Hacking of US Law Firms, Including Williams & Connolly
Discord Zendesk Breach Escalates with Extortion and Data Leaks
AI Progress Hits Pause: Security Gaps Force Firms to Rethink Adoption
Too Fast, Too Vulnerable: DevSecOps Teams Struggle to Keep Code Secure

TechNadu keeps you informed with the latest in cybersecurity, VPNs, and technology. From expert guides to in-depth reviews, we provide the knowledge you need to stay secure and connected in the digital world.

© 2025 TechNadu. All Rights Reserved. TechNadu is a part of Leaprove Media LLP.

Close lightbox
Facebook
Twitter
Linkedin
Reddit
Email
Copy Link
For a better user experience we recommend using a more modern browser. We support the latest version of the following browsers: For a better user experience we recommend using the latest version of the following browsers: