A new Android spyware called ClayRat is spreading rapidly, disguising itself as well-known apps like WhatsApp, Google Photos, TikTok, and YouTube. Its goal is clear: to trick users into installing it and then spy on them without their knowledge.
This malware is primarily distributed through Telegram channels and fake websites that mimic legitimate pages, making it easier for users to lower their guard. Once active, ClayRat can read your SMS messages, access call logs, capture notifications, take photos with the device’s camera, and even make calls remotely.
In the past three months, more than 600 different variants of this spyware have been identified, along with at least 50 different installation methods—evidence that the attackers are investing resources to expand and refine their campaign.
At TecnetOne, we aim to keep you informed about these types of threats so you can protect your device and personal information safely and mindfully.
How Does the New ClayRat Malware Spread?
The campaign behind the ClayRat spyware (named after the command and control (C2) server it uses) is carefully designed to appear legitimate and trustworthy. Attackers have created fake websites that closely mimic official pages of popular services. These phishing portals are crafted to deceive users from the very first click.
When a victim accesses one of these sites, they are redirected to Telegram channels where infected APK files are shared—these are fake versions of apps like WhatsApp or TikTok that contain the malware.
To make everything look authentic, the cybercriminals have gone as far as adding fake reviews, inflating download numbers, and designing an interface that perfectly mimics the Google Play Store experience. They even include step-by-step instructions on how to install the APK and bypass Android’s security warnings, making the entire process seem completely normal.
Fake Update Loads Spyware in the Background (Source: Zimperium)
Some variants of the ClayRat malware function as “droppers,” meaning the app you see upon installation is nothing more than a façade. In many cases, the only thing visible to the user is a fake Google Play update screen, while the actual malware—a hidden encrypted payload—is concealed within the app’s internal files.
To infiltrate the system without raising suspicion, attackers use an installation method known as “session-based installation,” designed to bypass security restrictions in Android 13 and later versions. This technique also lowers the chances of user suspicion, as everything appears to be working normally.
In short: the installation process looks clean, but in reality, you’re letting spyware into your device.
Once ClayRat is installed and running, it can use your device as a starting point to infect others. For instance, it’s capable of sending malicious SMS messages to all your contacts, thereby expanding its network of victims without your knowledge.
Telegram Channel Spreading ClayRat Droppers
Read more: New WhatsApp Worm Infects Users with Banking Malware
What Can ClayRat Do Once It Infects Your Phone?
Once installed, ClayRat takes full control of the device’s SMS messages. It sets itself as the default SMS app, allowing it to read all incoming messages, access saved message history, and even intercept messages before they reach other apps.
In addition, it can modify SMS databases, which means it can alter or delete messages without the user noticing. In other words, it not only spies on your conversations but can also manipulate what you see—or don’t see—in your inbox.
ClayRat Becomes the Default SMS Controller (Source: Zimperium)
Once the spyware is installed on the device, it establishes communication with its command and control (C2) server. In its latest versions, this connection is encrypted with AES-GCM (a fairly robust security standard) allowing it to send and receive commands without easily being detected.
The malware is programmed to execute up to 12 different commands, enabling it to extract data, spy on the user, and continue spreading. Here's what ClayRat can do once it’s active:
-
Get list of installed apps (get_apps_list): Sends the full list of apps on your phone to the server.
-
Access call history (get_calls): Extracts and shares all your call logs.
-
Take photos with the front camera (get_camera): Can silently take pictures and send them directly to the attacker’s server.
-
Read your SMS (get_sms_list): Steals all SMS messages stored on the device.
-
Send mass SMS messages (messsms): Sends texts to all your contacts to spread the malware or carry out malicious campaigns.
-
Send SMS or make calls (send_sms / make_call): Uses your phone to communicate with others as if it were you.
-
Capture notifications (get_push_notifications): Monitors the notifications you receive, including messages, emails, and app alerts.
-
Collect device information (get_device_info): Sends data like phone model, operating system, language, IP address, and more to the server.
-
Set up proxy connections (get_proxy_data): Uses advanced techniques to convert HTTP or HTTPS traffic into WebSocket connections, enabling easier background communication and execution.
-
Forward specific SMS (relay): Redirects messages to other numbers as instructed by the server.
Additionally, when the user unknowingly grants the required permissions, ClayRat can access your contact list, write and send messages automatically to each person, further expanding its reach like a personalized spam campaign.
Is Google Doing Anything About It?
Yes. As part of its collaboration with the App Defense Alliance, Google has reported that Google Play Protect is already blocking many known and recent variants of ClayRat, helping to prevent new infections from detected apps.
However, the campaign remains active and is still expanding. In just three months, over 600 different samples of the spyware have already been identified, showing the attackers’ ongoing efforts to bypass defenses and continue spreading this threat.
Read more: Social Engineering + User Experience: The Hackers' Formula
Recommendations to Protect Yourself from ClayRat
At TecnetOne, we believe the best way to protect your devices (and your information) is to stay ahead of the threats. Here are some best practices to reduce the risk of infection from spyware like ClayRat:
-
Install only from the Google Play Store: Avoid downloading APK files from unverified sites or links shared by third parties.
-
Be cautious with external updates: If an app asks you to update outside the official store, it’s likely a trap.
-
Check the permissions you grant: An entertainment app shouldn’t request access to your messages, calls, or camera.
-
Keep your devices updated: The latest versions of the operating system and apps often fix critical security vulnerabilities.
-
Use a trusted security solution: A good Android antivirus can detect and block threats before they act.
-
Promote cybersecurity awareness: A key part of protection is educating users. Teaching how to recognize suspicious links, avoid downloading sketchy apps, and not granting permissions blindly is essential to avoid falling into traps like ClayRat.
When it comes to protecting critical infrastructure or business data, it's also crucial to rely on more robust security tools. Solutions like EDR (Endpoint Detection and Response) systems, automated backups, and centralized protection allow for effective prevention, detection, and response to these types of attacks.
At TecnetOne, we’ve developed TecnetProtect, our comprehensive cybersecurity and backup solution. It combines advanced malware protection, device management, and incident recovery (powered by Acronis technology) with personalized, local support tailored to your organization.
Protecting yourself from spyware doesn’t have to be complicated. With the right practices and tools, you can keep your information (and your company’s) safe.
