Executive Summary
Over the past few months, zLabs researchers have been tracking ClayRat, a rapidly evolving Android spyware campaign primarily targeting Russian users. Distributed through Telegram channels and phishing sites, ClayRat masquerades as popular apps such as WhatsApp, Google Photos, TikTok, and YouTube to lure victims into installation.
Once active, the spyware can exfiltrate SMS messages, call logs, notifications, and device information; taking photos with the front camera; and even send SMS messages or place calls directly from the victim’s device. ClayRat also spreads aggressively by sending malicious links to every contact in the victim’s phone book, effectively turning each infected device into a distribution hub.
Our research shows that ClayRat is expanding at an alarming rate: more than 600 samples and 50 droppers have been observed in the past three months alone, with each iteration adding new layers of obfuscation and packing to evade detection. This demonstrates the operators’ continued efforts to stay covert and resilient against security defenses.
ClayRat poses a serious threat not only because of its extensive surveillance capabilities, but also because of its abuse of Android’s default SMS handler role. This technique allows it to bypass standard runtime permission prompts and gain access to sensitive data without raising alarms.
Distribution Vector
ClayRat is distributed through a highly orchestrated mix of social engineering and web-based deception, designed to exploit user trust and convenience. The campaign relies heavily on Telegram channels and phishing websites that impersonate well-known services and applications. In several observed cases, the attackers registered domains that closely mimic legitimate service pages - for example, a fake GdeDPS landing page (Figure 1). From these lookalike sites, visitors are redirected to Telegram channels (see Figure 2) where the malicious APK is hosted or linked. To increase installation success, the malware is often accompanied by simple step-by-step instructions that encourage users to bypass Android’s built-in security warnings.
Fig. 1: Domain hosted online impersonating GdeDPS
Fig. 2: Attackers prompting victims to join Telegram channel
The operators further amplify their reach by seeding these Telegram channels with manufactured social proof: staged positive comments, inflated download counts, and fake “user testimonials” designed to reduce suspicion. Dedicated distribution channels, such as the observed @baikalmoscow channel (Figure 3), serve as persistent hubs for spreading malware. This setup not only enables rapid reuse of the same infrastructure but also facilitates affiliate-style propagation, making the campaign scalable and harder to disrupt.
Fig. 3: One of the Channel named @baikalmoscow which is spreading the APKs
Phishing sites represent another key distribution vector. The campaign leverages multiple fake portals that impersonate popular applications - such as a “YouTube Plus” themed site (Figure 4) - and host APKs disguised as legitimate updates or feature add-ons. These sites are carefully crafted to resemble official sites and often provide step-by-step instructions that guide unsuspecting users through sideloading the malicious APK. Common tactics include directing users to enable installation from unknown sources or presenting a “session-style” installation flow that mimics the Google Play update experience on Android 13 and above.
Fig. 4: Spyware hosted on phishing site impersonating YouTube Plus
To bypass platform restrictions and the added friction introduced in newer Android versions, some ClayRat samples act as droppers: the visible app is merely a lightweight installer that displays a fake Play Store update screen, while the actual encrypted payload is hidden within the app’s assets. This session-based installation method lowers perceived risk and increases the likelihood that a webpage visit will result in spyware being installed.
A major propagation in this campaign is the malware’s ability to weaponize the victim’s contact list. Once active and granted default SMS handling privileges, ClayRat automatically composes and sends socially engineered messages (“Узнай первым! <link>”) to every contact. Because these messages appear to come from a trusted source, recipients are far more likely to click the link, join the same Telegram channel, or visit the same phishing site. Each infected device therefore becomes a distribution node, fueling exponential spread without the need for new infrastructure.
In short, ClayRat combines:
- Impersonation of trusted services and apps through polished phishing pages.
- Community distribution via Telegram channels and staged social proof.
- UX-level deception through fake update/install screens and session-based installers.
- Self-propagation through mass SMS forwarding.
Together, these tactics explain both the campaign’s rapid growth and its effectiveness at reaching non-technical users.
ClayRat and its Variants
The spyware was named "ClayRat" after its command-and-control (C2) server, which presents a login form labeled with the platform’s name when accessed (Figure 5).
Fig. 5: Attackers named C2 server as ClayRat
ClayRat uses standard HTTP to communicate with its command-and-control (C2) infrastructure. To obfuscate its traffic, the malware inserts the marker string "apezdolskynet" into otherwise Base64-encoded payloads (see Figure 6).
Fig. 6: Random word “apezdolskynet” added in the first variant of the spyware
An alternate variant uses AES-GCM to encrypt its C2 communications; it is packed and dynamically loads an encrypted payload from its assets at runtime.
Session-based Installation to Bypass Android 13 Restrictions
We also identified more than 50 samples where the malware masquerades as a dropper app to bypass Android restriction. The real payload, which is encrypted and stored in the app’s assets, and the installer tricks users by presenting a fake Google Play update screen (Figure 7)..
Fig. 7: Session based installation used by the malware
Abuse of the Default SMS Handler Role
One of ClayRat’s most effective tactics is its abuse of Android’s default SMS handler role. When an app is granted this role, it gains broad access to SMS content and messaging functions, allowing the spyware to read, store, and forward text messages at scale. Unlike individual runtime permissions that require per-capability approval, the SMS handler role consolidates multiple powerful capabilities into a single authorization step.
As illustrated in Figure 8, this role effectively grants an application the ability to:
- Read all incoming and stored SMS messages on the device.
- Send new SMS messages without requiring user confirmation.
- Receive and intercept SMS events before they reach other apps.
- Access or modify SMS databases, giving persistent visibility into communications.
Because of this breadth of access, the SMS handler role is among the most sensitive on Android. While intended for legitimate messaging apps, in the hands of malware it becomes a force-multiplier for data theft, covert surveillance, and mass propagation—effectively bypassing the protections that normally govern dangerous permissions.
Fig. 8: Spyware requesting default SMS permission
Once the permission is granted, the malware immediately captures photos (typically using the front-facing camera) and uploads them to its C2 server (Figure 9). The spyware also supports a range of remote commands, including:
- Upload SMS messages to the server
- Exfiltrate call logs
- Exfiltrate notifications
- Sending SMS from the victim’s device
The complete list of commands is listed in Table 1.
Fig. 9: Decrypted plain text data sent to command and control server
The spyware uses a highly effective method of propagation technique: it sends mass text messages to every single contact saved on the victim's device, exploiting the victim’s social network to spread rapidly. Upon receiving a command from its command and control (C2) server, the malware composes "Узнай первым! <link>" (English: “Be the first to know! <link>”) and, using the SEND_SMS and READ_CONTACTS permissions, automatically harvests the victim’s contact list and delivers the malicious link to every entry. By turning each infected device into an automated distribution node, this behavior enables fast, wide-reaching infection without additional infrastructure.
List of Commands
Command |
Description |
get_apps_list |
Sends list of installed applications to C2 |
get_calls |
Sends all call logs to C2 |
get_camera |
Takes a picture of the victim with using front camera and sends it to server |
get_sms_list |
Gets list of SMS in the phone and sends to server |
make_call |
Makes call from the victim’s device |
messsms |
Sends mass SMS to all the contacts present in the victim’s phone |
notifications |
Manages notification settings and reports the result back |
get_push_notifications |
Steals all notifications from the device and sends it to server |
retransmishion |
Resends an SMS, where the phone number is received from C2 |
send_sms |
Sends SMS to a number |
get_device_info |
Gets device info |
get_proxy_data |
Dynamically fetch a proxy WebSocket URL, append device ID, and initialize some network/connection object, Converts HTTP/HTTPS to WebSocket, schedules periodic or delayed tasks |
Table 1: Complete set of commands used by the spyware
Zimperium vs. ClayRat
Zimperium’s Mobile Threat Defense (MTD) and Mobile Runtime Protection (zDefend) solutions deliver comprehensive protection against ClayRat and its numerous variants. Our on-device, dynamic detection capabilities identified the spyware samples outlined in this research from their very first appearance—well before public disclosures or signature updates became available. This proactive approach ensured customers remained protected even as threat actors rapidly evolved their techniques, shifting from unpacked binaries to packed variants and leveraging multiple distribution channels to evade defenses.
The sheer scale of this campaign—over 600 observed samples in just three months—highlights how quickly the mobile threat landscape is changing. Despite this pace, Zimperium consistently detected ClayRat variants, validating the strength and resilience of our behavioral ML models. Customers in regions most impacted by this campaign remained fully protected without relying on delayed signature updates or cloud lookups.
As an App Defense Alliance partner, Zimperium has shared these findings with Google. This collaboration ensures that Android users are also automatically safeguarded against known versions of ClayRat through Google Play Protect, which is enabled by default on devices with Google Play Services. Zimperium will continue tracking this campaign and adapting protection as new variants emerge, staying in step with attacker innovation.
MITRE ATT&CK Techniques
Tactic |
ID |
Name |
Description |
Initial Access |
Phishing |
Adversaries host external phishing sites to download malicious APKs |
|
Persistence |
Event Triggered Execution: Broadcast Receivers |
It creates a broadcast receiver to receive SMS events and outgoing calls |
|
Defense Evasion |
Masquerading: Match Legitimate Name or Location |
Malware payload is impersonating Google Play icon as an extension |
|
Discovery |
System Information Discovery |
It gets device info such as device name,Android version etc |
|
Collection |
Protected User Data: SMS Messages |
It exfiltrates user SMS messages and sends it to server |
|
Protected User Data: Call Log |
Malware steals call logs |
||
Command and Control |
Application Layer Protocol: Web Protocols |
Uses HTTP protocol to communicate with C&C servers. |
|
Exfiltration |
Exfiltration Over C2 Channel |
Sending exfiltrated data over C&C server. |
|
Impact |
SMS Control |
It can read SMS messages. |
|
Call Control |
TAs can make call from victim’s device |
A big thanks to Fernando Sanchez Ortega for his help with the data collection and analysis.
Indicators of Compromise
The full list of IOCs can be found in this repository.