Zimperium's ClayRat Android Spyware evolution

5 Dec 2025

Zimperium's security team, zLabs, has identified a significantly enhanced variant of the Android spyware known as ClayRat. Initially detailed in the October 2025 technical brief “ClayRat: A New Android Spyware Targeting Russia,” this spyware has evolved to present new challenges.

While previously capable of exfiltrating SMS messages, call logs, notifications, device data, taking photos, and sending mass SMS or making calls, the updated variant of ClayRat exhibits advanced functionality and increased stealth.

Enhanced capabilities of ClayRat

The latest version of ClayRat exploits both Default SMS privileges and Accessibility Services, allowing it to capture lock-screen credentials such as PINs, passwords, or patterns, and automatically unlock devices. Further, it can record the screen via the MediaProjection API and present deceptive overlays, such as fake system-update prompts, to evade user detection.

The spyware can also programmatically initiate taps, preventing users from powering down or uninstalling the app. By generating fake or interactive notifications and intercepting responses, ClayRat facilitates full device takeover. This poses substantial risks, as affected users may find it difficult to detect or remove the malware. Corporate devices, in particular, face heightened risks of credential leaks, hijacked SMS, notification flows, or screen capture breaches.

Distribution via phishing techniques

Building on its previous strategies, ClayRat employs widespread social engineering tactics

Building on its previous strategies, ClayRat employs widespread social engineering tactics. The spyware continues to disguise itself as legitimate applications, including popular video and messaging platforms, and localised services like Russian taxi and parking apps.

Its distribution strategy heavily relies on phishing webpages and sideloaded APKs, often via cloud storage services such as Dropbox. zLabs telemetry has identified over 700 unique ClayRat-related APKs in a brief time span.

Implications for BYOD environments

Vishnu Pratapagiri, pioneering researcher at zLabs, highlighted the need for robust security measures, stating, “ClayRat’s evolution shows exactly why enterprises need protection that works at the device level, not just network-based. By abusing Accessibility Services and overlay tricks, this variant turns Android devices into fully compromised endpoints and conventional defences may not be enough.”

As ClayRat further enhances its spyware, remote-control, and lock-screen manipulation capabilities, companies should view this as a cautionary indicator. Mobile devices, especially within Bring Your Own Device (BYOD) settings, remain vulnerable entry points for attacks. Zimperium is actively monitoring ClayRat developments and continues to share relevant compromise indicators with industry partners.

Show full press release

Building on earlier research published in October 2025, Zimperium announced that its zLabs team has uncovered a significantly enhanced variant of ClayRat, an Android spyware family first detailed in the technical brief “ClayRat: A New Android Spyware Targeting Russia”.

While the original ClayRat strain was able to exfiltrate SMS messages, call logs, notifications, device data, take photos, and send mass SMS or place calls, effectively allowing infected devices to become distribution hubs. The newly observed variant demonstrates a substantial escalation in functionality and stealth. The updated strain abuses both Default SMS privileges and Accessibility Services, enabling it to:

Capture lock-screen credentials (PIN, password, or pattern) and automatically unlock the device.
Record the screen via the MediaProjection API.
Present deceptive overlays (for example, fake system-update prompts) to prevent user detection.
Programmatically initiate taps — blocking the user from powering down or uninstalling the malicious app.
Generate fake or interactive notifications, then intercept and exfiltrate responses.

This expanded functionality enables full device takeover, making ClayRat far more dangerous than the version first reported, especially since victims may no longer detect or easily remove the malware. The updated behaviour also increases the risk to corporate endpoints: compromised devices could leak corporate credentials, MFA codes, or sensitive enterprise data through hijacked SMS, notification flows, or screen captures.

Reliant on phishing webpages

The malware continues to leverage social engineering at scale. As before, ClayRat masquerades as legitimate, widely used applications and services, including major video and messaging platforms, as well as localised or regional services (for example, certain Russian taxi or parking apps).

Distribution remains heavily reliant on phishing webpages and sideloaded APKs, including via cloud-storage platforms such as Dropbox. According to zLabs telemetry, more than 700 unique APKs tied to ClayRat have already been identified in a short time window.

BYOD environments

“ClayRat’s evolution shows exactly why enterprises need protection that works at the device level, not just network-based,” said Vishnu Pratapagiri, lead researcher at zLabs. “By abusing Accessibility Services and overlay tricks, this variant turns Android devices into fully compromised endpoints and conventional defences may not be enough.”

As ClayRat continues to evolve, expanding its spyware, remote-control, and lock-screen manipulation capabilities, enterprises should treat this campaign as a critical reminder: mobile devices, especially in BYOD environments, remain among the most vulnerable entry points for attackers. Zimperium continues to monitor ClayRat and share relevant indicators of compromise with industry partners.

Download PDF version Download PDF version

Add as a preferred source on Google