Overview
- Attackers distribute ClayRat through Telegram channels and spoofed websites that imitate services like WhatsApp, TikTok, Google Photos and YouTube to push malicious APKs.
- Zimperium documented more than 600 samples and over 50 droppers in roughly three months, signaling rapid development and frequent obfuscation changes.
- Several variants use session‑based installers and fake Play Store update screens to bypass Android 13+ sideloading protections and lower user suspicion.
- Once installed and set as the SMS app, the spyware can read texts, capture call logs and notifications, take front‑camera photos, place calls or send SMS, and auto‑message every contact to propagate.
- Zimperium shared IoCs with Google, and Play Protect is now blocking known and new variants, though researchers report the campaign continues to evolve.