Overview

• Zimperium zLabs reports more than 600 ClayRat samples and about 50 droppers identified over the last 90 days, with successive variants adding obfuscation to evade detection.
• Attackers drive installs through Telegram channels and lookalike phishing sites that impersonate WhatsApp, TikTok, Google Photos and YouTube, bolstered by fake testimonials and inflated download counts.
• Several variants function as droppers that present fake Play Store update screens and unpack encrypted payloads, sidestepping sideloading friction on Android 13 and later.
• Once installed, the malware requests default SMS app status to exfiltrate texts, call logs and notifications, capture front‑camera photos, place calls or send messages, and automatically message every saved contact with lure texts such as “Be the first to know!”.
• Zimperium says it shared indicators with Google, resulting in Google Play Protect detections, and experts urge users to avoid sideloaded APKs and rely on layered mobile security.