ClayRat: A New Android Mobile Threat Vector

Zimperium zLabs has recently published analysis on ClayRat, a rapidly evolving Android spyware campaign primarily targeting users in Russia. The research exposes a sophisticated, multi-stage distribution method and a concerning technical shift: the extensive abuse of the Android device's default SMS handler role.

For mobile security professionals, ClayRat serves as a critical case study illustrating the increasing complexity and high velocity of modern mobile malware, particularly in how it achieves exponential self-propagation and deep surveillance capabilities.

ClayRat's initial distribution strategy is a highly-orchestrated mix of social engineering and deception, demonstrating a clear focus on scale. According to zLabs researchers, the campaign has seen an alarming expansion: "More than 600 samples and 50 droppers have been observed in the past three months alone,” with each iteration rapidly evolving with "new layers of obfuscation and packing to evade detection."

Key distribution tactics include:

1. Trusted impersonation: ClayRat masquerades as popular, legitimate applications, including services like WhatsApp, Google Photos, TikTok, and YouTube, to lower user skepticism during the sideloading process.

2. Community distribution: The malicious APKs are hosted and distributed heavily through Telegram channels and phishing websites that mimic legitimate service pages. This leverages user trust in familiar communication platforms.

3. UX-level deception: Attackers utilize tactics that prompt users to bypass Android's built-in warnings, sometimes even presenting a deceptive "session-style" installation flow that mimics the Google Play update experience on Android 13 and above, thereby exploiting user trust in official update processes.

The core of ClayRat's danger lies in its persistent and stealthy surveillance capabilities, enabled by exploiting a high-privilege Android role.

ClayRat's most concerning feature, as highlighted by Zimperium, is its abuse of Android's default SMS handler role. When the malware is successfully granted this permission, it gains deep, unmonitored access to the victim's messaging functions, effectively bypassing standard runtime permission prompts for sensitive data access.

"ClayRat is a new Android spyware that hides inside fake apps that mimic popular apps and tricks users into giving it special permissions," said Chrissa Constantine, Senior Cybersecurity Solution Architect at Black Duck. "Once installed, it can secretly read and send text messages, take photos, steal contact lists and call logs, and spread itself by texting malicious links to everyone in the contact list on the victim's phone. It communicates with its operators using encrypted channels, making it hard to detect."

Constantine continued, "To stay safe, users and organizations should only install apps from trusted sources like Google Play, avoid granting unusual permissions, keep devices updated, and use mobile security tools that can spot suspicious behavior before it causes harm. End-user training and education is highly recommended to avoid falling prey to social engineering or to ensure that employees understand the importance of not loading apps from untrusted sources especially on work devices."

Capabilities enabled by SMS handler abuse:

• Mass self-propagation: Once active and granted SMS privileges, ClayRat automatically composes and sends a socially-engineered message (e.g., "Узнай первым! <link>") to "every single contact saved on the victim's device." This turns every infected mobile endpoint into a distribution node, fueling exponential, community-driven spread without requiring new infrastructure from the attackers.

• Deep surveillance: The malware leverages its remote command structure to execute extensive surveillance:

  • Exfiltrating all incoming and stored SMS messages and call logs

  • Stealing notifications from the device

  • Sending SMS or placing calls from the victim's device without confirmation

The ClayRat campaign reinforces several urgent requirements for enterprise mobile security strategies:

1. Shift focus to sideloading and phishing: The malware's reliance on third-party channels (Telegram, phishing sites) confirms that traditional defenses focused solely on the official app stores are insufficient. Security policies and Mobile Threat Defense (MTD) solutions must prioritize the detection and blocking of non-official application sources and malicious links embedded in SMS messages (smishing).

2. Permission monitoring is key: The successful operation of ClayRat hinges on the user granting the default SMS handler role. MTD solutions must employ behavioral analytics to flag and restrict applications attempting to gain unusually high-risk, default roles—especially those not typically associated with the app's legitimate function.

3. Account for rapid evolution: The sheer volume and speed of new ClayRat samples observed (more than 600 in three months) means static IOC-based security models will fail quickly. Defense requires on-device dynamic detection engines and behavioral machine learning capable of identifying malicious intent and anomalous activity before the variant is publicly known.

The ClayRat campaign is a clear example of how threat actors are innovating to achieve high-volume, deep-access mobile compromise. With the weaponization of social networks and exploitation of powerful default operating system roles, mobile security is no longer just about protecting apps—it's about protecting the social trust and core functionality of the device itself.

"Once installed, ClayRat can steal SMS messages, call logs, notifications, device identifiers, and photos taken with the front camera. It can also send SMS or place calls from the device," said Jason Soroko, Senior Fellow at Sectigo. "Security teams should enforce a layered mobile security posture that reduces installation paths, detects compromise, and limits blast radius. Teams should also block sideloading through Android Enterprise policy and allow only managed Google Play installs and monitor for any change to the default SMS app then block or alert on unauthorized handlers."

"Additionally, I recommend deploying a mobile threat defense solution, integrated with your unified endpoint management, to analyze apps at install time, inspect behavior on device, quarantine or disconnect risky devices, and feed risk signals to conditional access so only healthy devices reach email and SaaS," Soroko said. "Also, move away from SMS-based codes and adopt phishing resistant multi-factor authentication (MFA) such as security keys or passkeys and fall back to app based one-time password (OTP) only inside a managed profile. NIST deprecated SMS messaging for a good reason."

He continued, "Teams should also add network protections, including DNS filtering and egress controls, and alert on spikes in outbound SMS volume, repeated link sending to many contacts, unusual camera activations, and attempts to keep the screen awake while in the background. Prepare an incident playbook that isolates the device, revokes tokens and sessions, resets credentials, notifies the carrier if abuse is suspected, alerts the user contacts to ignore prior texts, and factory resets before re-enrollment."

"Finally, I recommend end-user education that instructs employees to install mobile apps only from managed stores and with rapid OS and app patching across fleets," Soroko concluded.