Zimperium, the world's pioneer in mobile security, announced new research from its zLabs team exposing ClayRat, a rapidly expanding Android spyware campaign targeting Russian users.
Disguised as popular apps, such as WhatsApp, TikTok, Google Photos, and YouTube, ClayRat steals sensitive information, including SMS, call logs, device data, and front-camera photos.
New obfuscation layers
While exploiting Android’s default SMS handler role to bypass security prompts
While exploiting Android’s default SMS handler role to bypass security prompts. Once active, it sends malicious links to every contact in the victim’s phonebook, turning each infected device into a distribution hub.
In the last three months alone, Zimperium identified over 600 variants and 50 droppers, each using new obfuscation layers to evade detection. This pace of evolution underscores the increasing speed and sophistication of mobile threats.
AI-driven mobile security
“ClayRat demonstrates how attackers are evolving faster than ever, combining social engineering, self-propagation, and system abuse to maximise reach,” said Shridhar Mittal, CEO of Zimperium, adding “Our AI-driven mobile security ensures customers remain protected, even against campaigns designed to outpace traditional defences.”
Benefit from additional protections
Zimperium’s Mobile Threat Defence and Mobile Runtime Protection solutions proactively detected ClayRat samples from their first appearance, keeping customers safe without relying on delayed updates.
As an App Defence Alliance partner, Zimperium has also shared its findings with Google, ensuring Android users benefit from additional protections through Google Play Protect.
Key findings
- 600+ spyware samples discovered in just 90 days
- Abuses SMS handler role to bypass security prompts
- Spreads via contacts, each device becomes a distribution hub
- Steals sensitive data, including messages, call logs, and photos