A rapidly spreading Android spyware campaign named ClayRat has alarmed cybersecurity experts by targeting users—particularly in Russia—with convincing fake versions of popular apps like WhatsApp and TikTok. Through a mix of phishing sites and Telegram channels, attackers have succeeded in tricking thousands of users into installing malware-laden apps, raising concerns over the speed and scale of modern mobile threats.

Key Takeaways

• ClayRat disguises itself as apps such as WhatsApp, TikTok, Google Photos, and YouTube.

• Attackers use authentic-looking phishing websites and Telegram channels for distribution.

• Once installed, the spyware can steal messages, call logs, photos, and device data—and even propagate itself to users’ contacts.

• More than 600 unique ClayRat malware samples and 50 app droppers have been detected in just three months.

• The attack demonstrates growing sophistication in self-propagating Android malware.

How The Attack Works

Attackers set up phishing websites that impersonate popular app download portals. Unsuspecting users are directed to Telegram channels where they encounter false download counts and fabricated user testimonials, increasing perceived legitimacy. The fake apps mimic real branding and, in some cases, prompt users to override Android’s usual security checks.

The ClayRat malware abuses Android's default SMS handler role. Once installed as the default SMS app, it gains broad access to messages and contacts without raising alarm, bypassing routine permissions that would typically warn users.

What ClayRat Can Do on Infected Devices

ClayRat is not a simple information stealer. Its capabilities include:

• Collecting SMS messages, notifications, and call logs

• Capturing photos from the front camera silently

• Sending SMS or making calls without user knowledge

• Sending malicious links to every contact in the infected device’s phonebook, often using convincing social engineering messages

• Covertly updating itself and evading detection by frequently changing code and app-droppers

These functions allow ClayRat not only to spy on users but also to turn each victim’s device into an automated distribution hub, significantly amplifying its reach and impact.

Why The Threat Is Growing

The rapid iteration of ClayRat—with over 600 samples identified within three months—reflects an aggressive campaign by its operators. Techniques such as layering obfuscation, using droppers, and exploiting social trust make this spyware highly evasive and difficult to stop.

Experts note the attack signals a shift back to older, more vulnerable distribution routes (such as SMS-based malware propagation) but with modern automation and deception layered in. People are especially at risk because messages seem to come from known contacts, increasing the likelihood of further infections.

How You Can Protect Yourself

Security researchers stress several defense strategies:

1. Only download apps from official sources like Google Play Store.

2. Avoid installing applications from unsolicited messages or unknown websites.

3. Be skeptical of app downloads recommended via SMS or social media, even if sent by friends.

4. Keep your device’s security features enabled and regularly updated.

For organizations, experts advise restricting sideloading of apps and monitoring for changes to default SMS handlers, particularly on work devices.

The ClayRat campaign underscores the urgent need to combine technological safeguards with user education to counter increasingly sophisticated Android threats. As cyber threats become increasingly sophisticated, your security strategy must evolve to keep pace. BetterWorld Technology offers adaptive cybersecurity solutions that grow with the threat landscape, helping your business stay secure while continuing to innovate. Reach out today to schedule your personalized consultation.

Sources

• New ClayRat Spyware Targets Android Users via Fake WhatsApp and TikTok Apps, The Hacker News.

• Fake TikTok and WhatsApp Apps Infect Android Devices with ClayRat Spyware, Hack Read.

• ClayRat Android Spyware Campaign Exposed | Zimperium, TechNadu.

• ClayRat Spyware Campaign Targets Android Users in Russia, Infosecurity Magazine.

• ClayRat campaign uses Telegram and phishing sites to distribute Android spyware, Security Affairs.