- ClayRat malware mimics popular apps to steal data and spread via victim contact lists
- It abuses Android’s SMS handler role to bypass permissions and access sensitive content
- Over 600 variants found; users should stick to trusted app stores and use antivirus tools
A new Android malware variant is posing as popular apps, stealing sensitive files and propagating further.
Experts from Zimperium revealed ClayRat, targeting primarily Russian users by spoofing popular Android apps such as WhatsApp, TikTok, Google Photos, or YouTube, distributed mostly through Telegram channels and standalone phishing sites.
Through typosquatting, the phishing sites trick victims into thinking they’re visiting a legitimate page and then redirects them to Telegram channels where the malware is hosted.
How to stay safe
Once the victims install ClayRat, it abuses Android’s default SMS handler role, allowing it to bypass standard runtime permission prompts and gain access to sensitive data without raising alarms.
“When an app is granted this role, it gains broad access to SMS content and messaging functions, allowing the spyware to read, store, and forward text messages at scale,” Zimperium explained. “Unlike individual runtime permissions that require per-capability approval, the SMS handler role consolidates multiple powerful capabilities into a single authorization step.”
The sensitive data it is looking to exfiltrate includes SMS messages, call logs, device data, and photos taken by the front-facing camera. Once it steals whatever information it finds, the malware propagates further by sending a malicious download link to every contact in the victim’s phonebook, turning the infected device into a powerful distribution hub.
Whoever is behind ClayRat is active, too, Zimperium said. In the last three months alone, the researchers found more than 600 variants and 50 different droppers, each with a separate obfuscation layer. However, they don’t think the practice is unique to this threat actor, but rather proof of the “increasing speed and sophistication” of today’s mobile threats.
“ClayRat demonstrates how attackers are evolving faster than ever, combining social engineering, self-propagation, and system abuse to maximize reach,” said Shridhar Mittal, CEO of Zimperium.
To protect against these sorts of threats, you should only download apps from trusted sources, such as Google’s Play Store, or Apple’s App Store.
A little due diligence wouldn’t hurt, either, by checking the number of downloads, the overall review score, and a few user comments.
Finally, having a mobile antivirus solution set up always helps, and so is being mindful of the permissions granted to different apps.
Follow TechRadar on Google News and add us as a preferred source to get our expert news, reviews, and opinion in your feeds. Make sure to click the Follow button!
And of course you can also follow TechRadar on TikTok for news, reviews, unboxings in video form, and get regular updates from us on WhatsApp too.
You might also like
- New Android RAT uses Near Field Communication to automatically steal money from devices
- Take a look at our guide to the best authenticator app
- We've rounded up the best password managers
You must confirm your public display name before commenting
Please logout and then login again, you will then be prompted to enter your display name.