ClayRat campaign uses Telegram and phishing sites to distribute Android spyware
October 9, 2025
ClayRat spyware for Android targets Russian users through fake Telegram channels and phishing sites masquerading as popular apps like WhatsApp and YouTube.
ClayRat spyware campaign for Android targets Russian users through fake Telegram channels and phishing sites impersonating popular apps like Google Photos, WhatsApp, TikTok, YouTube.
Zimperium named the spyware ClayRat after its C2 server, which presents a login form with that name.
Zimperium researchers observed more than 600 samples and more than 50 droppers over three months, each adding obfuscation and conditioning to evade detection. The malware also abuses Android’s default SMS handler to bypass permission prompts and stealthily access sensitive data.
“ClayRat poses a serious threat not only because of its extensive monitoring capabilities, but also because of its abuse of the role of Android’s default SMS handler.” read it report published by Zimperium. “This technique allows it to bypass standard execute permission prompts and access sensitive data without triggering alarms.”
ClayRat spreads via a coordinated mix of social engineering and web deception, exploiting user trust. Attackers use Telegram channels and phishing sites imitating legitimate services like YouTube or GdeDPS to host fake APKs, complete with step-by-step installation guides that bypass Android’s warnings.
Telegram channels, peppered with fake reviews and inflated statistics, amplify reach and persistence.
Android malware also spreads through phishing sites imitating popular apps, using fake APKs. Some samples act like eyedroppers, displaying fake update screens while hiding the payload. Once installed, it automatically sends malicious SMS messages to all contacts, turning each device into a distribution node.
“A major spread of this campaign is the malware’s ability to weaponize the victim’s contact list. Once active and given SMS management privileges by default, ClayRat automatically composes and sends social engineering messages (“Узнай первым! “) with each contact.” the report continues. “Because these messages appear to come from a trusted source, recipients are much more likely to click the link, join the same Telegram channel, or visit the same phishing site. Each infected device therefore becomes a distribution node, fueling exponential spread without the need for new infrastructure.”
Combining impersonation, Telegram channels, fake UX feeds and self-propagation, the campaign is growing quickly and effectively targeting non-technical users.
ClayRat communicates over HTTP and obfuscates payloads by inserting the “apezdolskynet” tag into otherwise Base64-encoded data. Experts also spotted an alternative variant that pools the sample, uses AES-GCM to encrypt C2 traffic, and dynamically loads an encrypted payload from its assets at runtime.
Android spyware abuses Android’s default SMS manager to gain broad access – reading, sending, intercepting SMS messages and modifying message databases – bypassing individual execution prompts. Once granted, the spyware captures photos from the front camera, exfiltrates SMS, call logs, notifications to its C2 and executes remote commands (take photos, list applications, send bulk SMS to all contacts, make calls, exfiltrate data).
“The sheer scale of this campaign – more than 600 samples observed in just three months – highlights how quickly the mobile threat landscape is evolving. » concludes Zimperium.
Follow me on Twitter: @businessofsecurity And Facebook And Mastodon
(Security Affairs – hacking, newsletter)
