A new Android spyware called ClayRat is luring potential victims by posing as popular apps and services like WhatsApp, Google Photos, TikTok, and YouTube.
According to Zimperium, some ClayRat malware samples act as droppers, where the app the user sees is a fake Play Store update screen and an encrypted payload is hidden in the app’s assets.
The malware nests in the device using a “session-based” installation method to bypass Android 13+ restrictions and reduce user suspicion.
Spyware’s capabilities The ClayRat spyware assumes the default SMS handler role on infected devices, allowing it to read all incoming and stored SMS, intercept them before other apps, and modify SMS databases.
As a member of the App Defense Alliance, Zimperium shared the full IoCs with Google, and Play Protect now blocks known and new variants of the ClayRat spyware.
Potential victims are being lured in by a new Android spyware called ClayRat, which impersonates well-known programs and services like YouTube, TikTok, Google Photos, and WhatsApp.
The malware uses Telegram channels and malicious websites that look authentic to target Russian users. It can take pictures, make phone calls, and even steal SMS messages, call logs, and notifications.
The attacker made a concerted effort to expand the operation, according to malware researchers at mobile security firm Zimperium, who have recorded over 600 samples and 50 unique droppers in the last three months.
the ClayRat initiative.
The malware’s command and control (C2) server is the inspiration for the ClayRat campaign, which makes use of expertly constructed phishing portals and registered domains that closely resemble authentic service pages.
The Android package files (APKs) are distributed to gullible victims via Telegram channels that these websites host or reroute users to.
In order to give these websites more legitimacy, the threat actors have fabricated comments, exaggerated download counts, and a fake Play Store-style user interface that provides detailed instructions on how to sideload APKs and get around Android’s security alerts.
Zimperium claims that some ClayRat malware samples function as droppers, in which the user is presented with a phony Play Store update screen and an encrypted payload concealed within the app’s assets.
To get around Android 13+’s limitations and allay user suspicions, the malware installs itself on the device through a “session-based” installation technique.
According to the researchers, “this session-based installation method increases the likelihood that a webpage visit will result in spyware being installed and lowers perceived risk.”.
The malware can spread to additional victims by using the new host as a launching pad to send SMS messages to the victim’s contact list once it is operational on the device.
The powers of spyware.
To read all incoming and stored SMS, intercept them before other apps do, and alter SMS databases, the ClayRat spyware takes over the default SMS handler role on compromised devices.
After communicating with the C2, which is AES-GCM encrypted in its most recent versions, the spyware receives one of the 12 commands that are supported.
send C2 the list of installed apps using get_apps_list.
send call logs with get_calls.
send a front-camera picture to the server using the get_camera function.
exfiltrate SMS messages with get_sms_list.
Messsms: Send all of your contacts a bulk SMS.
The device’s send_sms and make_call functions allow you to send SMS or make calls.
notifications / get_push_notifications — record push data and notifications.
get_device_info — gathers device data.
get_proxy_data — retrieves a WebSocket proxy URL, adds a device ID, and creates a connection object (which schedules tasks and converts HTTP/HTTPS to WebSocket).
Send an SMS to a number you received from C2 again.
The spyware automatically gathers contacts and programmatically creates and sends SMS messages to each contact for mass distribution once the necessary permissions are granted.
Play Protect now blocks both known and unknown ClayRat spyware variants. Zimperium shared the complete IoCs with Google as a member of the App Defense Alliance.
Nonetheless, the researchers emphasize that the campaign is extensive, having recorded over 600 samples in just three months.
