ClayRat Android Malware: A New Threat Stealing SMS Messages, Call Logs, and Capturing Victim Photos
A formidable new Android spyware, dubbed ClayRat, has surfaced, posing a significant threat to mobile device security worldwide. First identified in October by the zLabs team, this malware exemplifies a concerning evolution in mobile threats, granting attackers near-complete control over infected devices. ClayRat employs sophisticated techniques to steal sensitive personal data while remaining undetected by victims who might otherwise notice and remove it.
Deceptive Distribution Methods
ClayRat operates by masquerading as legitimate applications, including popular platforms like YouTube and messaging apps, as well as localized services such as Russian taxi and parking applications. The malware primarily spreads through phishing websites, with over 25 fraudulent domains currently active, hosting malicious files. Additionally, cloud storage services like Dropbox have been observed distributing the malware, significantly expanding its reach. Researchers have detected more than 700 unique APK files in a remarkably short timeframe, indicating a large-scale distribution campaign.
Sophisticated Installation Techniques
The malware infiltrates devices through deceptive installation prompts that request permissions for SMS and accessibility features. Zimperium security analysts identified that ClayRat employs a sophisticated dropper technique to bypass Android security restrictions. The encrypted payload remains stored in the application’s assets folder, using AES/CBC decryption with embedded keys to unpack itself during runtime, making detection considerably more challenging for standard security measures.
Escalation of Privileges
Once installed, ClayRat escalates its privileges by requesting users to enable Accessibility Services alongside default SMS permissions. This combination of permissions creates a dangerous window for attackers to exploit the device comprehensively.
Persistence Tactics Through Accessibility Service Abuse
The new variant significantly expands its capabilities through aggressive misuse of Accessibility Services. After obtaining necessary permissions, the malware automatically disables the Play Store through automated screen clicks, removing Google Play Protect security protections without user knowledge. The spyware monitors all lock screen interactions, including button presses and pattern movements, reconstructing PIN codes, passwords, and patterns with remarkable accuracy.
When victims enter their credentials, the malware captures this information in SharedPreferences under the key lock_password_storage. Using the stored credentials, the malware then executes an auto_unlock command that sends gestures to unlock the device automatically, completely removing the victim’s ability to detect the infection through the lock screen. This technique ensures ClayRat maintains persistent access regardless of attempted device security measures.
Comprehensive Data Exfiltration
In addition to its persistence tactics, ClayRat captures photographs using the device camera, records screen content through MediaProjection APIs, steals SMS messages and call logs, and creates fake notifications to intercept sensitive replies from users. This comprehensive data exfiltration allows attackers to gather a wide array of personal information from the infected device.
Self-Propagation Mechanism
ClayRat exhibits a self-propagation mechanism that enhances its spread. Once installed, the malware sends SMS messages containing malicious download links to every contact in the victim’s phonebook. These messages often include phrases like Be the first to know! followed by a link, making them appear more convincing. Because these messages appear to come from a trusted source, recipients are far more likely to click the link, join the same Telegram channel, or visit the same phishing site. Each infected device thus becomes a distribution node, fueling exponential spread without the need for new infrastructure.
Technical Sophistication and Evasion Techniques
Security researchers have observed over 600 samples and 50 droppers of ClayRat in the past 90 days. Each new iteration adds layers of obfuscation, making detection more difficult. Communication with the command-and-control (C2) infrastructure relies on standard HTTP protocols, and the malware requests users to make it the default SMS application to gain access to sensitive content and messaging functions. These capabilities allow attackers to conduct surveillance and expand the malware’s reach without manual intervention.
Protective Measures
Despite its potency, ClayRat is mitigated by Google Play Protect, which is enabled by default on devices with Google Play Services. Play Protect automatically safeguards users from known versions of the malware. However, users are advised to exercise caution by downloading apps only from trusted sources, verifying app legitimacy by checking reviews and download counts, using mobile antivirus software, and carefully reviewing app permissions.
Conclusion
ClayRat represents a dual threat: it spies on victims while simultaneously turning their devices into tools for further malware propagation. Its combination of social engineering, advanced evasion techniques, and automated distribution makes it a formidable adversary in the Android threat landscape. Staying vigilant and adopting robust security practices are essential to protect against such sophisticated threats.
