New Android Spyware ClayRat Targets Russian Speakers

ClayRat, a newly discovered Android spyware family, has emerged as a sophisticated and rapidly proliferating threat that researchers say primarily targets Russian-speaking users. Security analysts at Zimperium first cataloged the campaign and published detailed technical notes and indicators of compromise (IoCs).

In summary, the attackers employ convincing social engineering tactics, fake websites, forged comments and download counts, and Play-Store-style user interfaces to trick victims into sideloading APKs delivered through Telegram channels and malicious landing pages. These distribution tactics make the initial infection seem routine to unwary users, helping the malware establish a foothold on devices outside official app stores.

The ClayRat campaign mixes common deception with technically capable spyware. Zimperium's analysis reveals more than 600 samples and approximately 50 distinct droppers observed over three months, a scale that suggests an active and expanding operation rather than a small, targeted experiment. Many of the droppers present the user with a fake "update" or a familiar app skin, such as WhatsApp, TikTok, YouTube, or Google Photos.

At the same time, an encrypted payload sits hidden inside the package's assets. Once executed, some dropper variants decrypt and execute the payload, while others act simply as conduits that launch a secondary installer, lowering the barrier for the full spyware to run on the infected device.

Functionally, ClayRat behaves like a full-featured mobile espionage tool. When the malware obtains the proper permissions, it registers as the device's default SMS handler. This move enables it to read, intercept, and modify both inbound and stored text messages, including bypassing other apps' access to those messages.

The spyware supports a sizable command set, enabling remote operators to harvest installed app lists, exfiltrate call logs and SMS databases, take camera photos, capture notifications, send mass SMS messages to propagate itself, and initiate calls from the victim device.

Later versions of the implant use AES-GCM encryption for command-and-control (C2) communications, indicating that the author(s) invested effort in protecting their command-and-control traffic against simple interception. These capabilities allow ClayRat not only to spy on victims but also to use compromised phones as potential infection vectors to reach additional targets.

Visibility into the operation has improved because Zimperium and others shared IoCs and analysis with platform defenders, making it easier to develop mitigation strategies and prevent infections. Google Play Protect now blocks known and newly identified ClayRat variants, and Zimperium posted a public repository of indicators that defenders can consume when hunting for infections or scanning networks of devices.

Nevertheless, the campaign's breadth, numerous samples, and a varied set of droppers mean that detection and remediation remain nontrivial, especially when apparently legitimate pages instruct users to sideload apps and bypass Android warnings.

Session-based Installation

A notable technical facet of ClayRat's spread is its reliance on a "session-based" installation method to sidestep protections introduced in Android 13 and later. Android 13 tightened sideloading controls and introduced additional runtime checks to make it harder for malicious webpages and downloads to install apps without explicit user consent.

The session-based method leverages legitimate mechanisms within the Android package installer flow, specifically user confirmation and session semantics, to make the installation appear part of a continuous, user-driven interaction. By orchestrating the process through a sequence of pages and prompts, droppers can lower the user's perceived risk and make an installation feel like a regular update or a continuation of a welcome interaction.

Security researchers argue that this reduces the number of explicit, suspicious prompts the user sees, thereby increasing the likelihood that the user will approve the installation.

This exploitation of the installer session can be delivered in many ways. Threat actors design landing pages that mimic trusted UIs (a faux Play Store or app update screen), then present step-by-step instructions that steer users through a flow where each action looks reasonable.

In some variants, a dropper package includes an encrypted payload that the initial app writes to disk and then calls into the package installer using session APIs, which complete the installation without repeatedly showing conspicuous system warnings. In other cases, the attackers rely on social proof, fake comments, inflated download counters, and Telegram testimonials to normalize the process and convince victims that the download is safe.

Researchers have observed cybercrime services openly advertising and leveraging similar session-based techniques to help clients install malware on targets running Android 13 and above, signaling that the approach is both reproducible and in active commercial use.

The use of session-based installations is especially worrying because it highlights the gap between platform-level protections and the real user experience during social-engineered flows. Android's architectural changes made it harder for an unprompted background install to succeed.

Still, they cannot stop a convincing webpage from walking a user through a sequence of legitimate-looking prompts. By reducing surprise, they increase compliance; by mimicking trusted brands, they exploit the user's heuristics for safety. The result is that a device running a modern Android release can still be coaxed into hosting powerful spyware without any zero-day exploits or kernel-level privilege escalation.

For defenders, the practical implications are clear:

• Technical controls remain essential, but must be combined with user education and tighter app distribution controls.
• Platform owners should continue to update Play Protect signatures and block known ClayRat variants.
• Security teams need to ingest and act on provided indicators of compromise (IoCs). Further, teams need to monitor for ClayRat-related behaviors such as changes to the default SMS handler, unexpected mass SMS sending, and sudden exfiltration of contacts or call logs.
• Enterprises and security vendors should detect signs of session-driven installations, including clusters of seemingly user-initiated installer sessions from browser contexts and APK installations originating outside official app stores.
• End users should avoid sideloading apps from third-party sites or Telegram channels. Verify the authenticity of download pages that imitate official app stores. Keep devices regularly patched to benefit from the latest protective updates.

ClayRat's arrival and the session-based bypasses that helped it spread underscore a recurring lesson in mobile security: platform hardening reduces certain classes of attacks.

Still, it cannot eliminate risks that exploit human trust and UX design. As the malware ecosystem evolves, defenders must combine technical detection, rapid sharing of IoCs, and clear, realistic user guidance to mitigate the effectiveness of campaigns that exploit legitimate installation flows.