A rapidly evolving Android spyware campaign called ClayRat targets users in Russia by impersonating popular apps such as WhatsApp, Google Photos, TikTok, and YouTube, using a combination of Telegram channels and similar phishing websites as decoys to install them.
“Once activated, the spyware can steal SMS messages, call logs, notifications, device information, take photos with the front camera, and even send SMS messages and make calls directly from the victim’s device,” Zimperium researcher Vishnu Pratapagiri said in a report shared with Hacker News.
The malware is designed to propagate itself by sending a malicious link to all contacts in a victim’s phonebook, demonstrating an aggressive tactic of attackers using infected devices as a distribution vector.
The mobile security company announced that it has detected more than 600 samples and 50 droppers in the past 90 days. Each iteration incorporated new layers of obfuscation, allowing it to evade detection efforts and stay ahead of security defenses. The malware name is a reference to a command and control (C2) panel that can be used to remotely manage infected devices.
The attack chain involves redirecting unsuspecting visitors to these fake sites to adversary-controlled Telegram channels where they are tricked into downloading APK files by artificially inflating download numbers or sharing fabricated testimonials as proof of popularity.
In other cases, fake websites claiming to offer “YouTube Plus” with premium features have been found hosting APK files that can bypass security protections enforced by Google to prevent sideloading of apps on devices running Android 13 and above.
“To circumvent platform limitations and additional friction introduced in new Android versions, some ClayRat samples act as droppers. The displayed app is nothing more than a lightweight installer that displays a fake Play Store update screen, while the actual encrypted payload is hidden within the app’s assets,” the company said. “This session-based installation method reduces the perceived risk and increases the likelihood that spyware will be installed when you visit a web page.”
Once installed, ClayRat communicates with the C2 infrastructure using standard HTTP and prompts the user to make it the default SMS application to access sensitive content and messaging functionality. This allows it to covertly capture call logs, text messages, notifications and spread malware to all your other contacts.
Other functions of this malware include making phone calls, retrieving device information, taking photos using the device’s camera, and sending a list of all installed applications to a C2 server.
ClayRat is a powerful threat not only for its monitoring capabilities, but also for its ability to turn infected devices into distribution nodes in an automated manner. This allows threat actors to quickly expand their attack radius without manual intervention.
The development comes after academics from the University of Luxembourg and Cheikh Anta Diop University discovered that pre-installed apps on low-cost Android smartphones sold in Africa were running with elevated privileges, with one package provided by the vendor sending device ID and location details to an external third party.
The study examined 1,544 APKs collected from seven smartphones in Africa and found that 145 applications (9%) exposed sensitive data, 249 (16%) applications exposed critical components without adequate safeguards, and many presented additional risks; 226 executed privileged or dangerous commands, 79 interacted with SMS messages (read, sent, or deleted), 33 “Performing a silent installation operation.”
Source link
