Security researchers have documented a large-scale Android espionage operation in Russia that uses convincing social engineering, Telegram distribution, and a modern installation trick to weaken Android’s defenses. The malware, dubbed ClayRat, impersonates legitimate apps such as WhatsApp, Google Photos, TikTok, and YouTube, and is delivered via phishing sites and Telegram channels. Once installed, it can hijack SMS, capture call logs and notifications, take camera snapshots, and even initiate calls from the victim’s device.
Phishing infrastructure and Telegram-driven delivery
Operators register lookalike domains and host spoofed pages styled to resemble Google Play. These sites either serve APKs directly or redirect users to Telegram channels that promote a “full version” or “update.” To build trust, the pages display fabricated reviews, inflated install counters, and step-by-step guides for manual APK installation that bypass Android’s default protections.
Scale and evolution: hundreds of samples and numerous droppers
According to Zimperium, more than 600 unique ClayRat samples and over 50 distinct droppers were identified in just three months, signaling a fast-moving and iterative operation. Several loaders present a fake “Play Store update” screen while concealing an encrypted payload within app resources until installation time, a common tactic to evade static analysis and delay detection.
How ClayRat exploits Android installation mechanics
Session-based installation versus classic sideloading
Android supports two primary install paths: a direct (non-session) install, where a single APK is handed to the system installer, and a session-based method designed to support multi-part or split APKs common in Google Play distribution. ClayRat abuses the session-based path to blend in with legitimate app install flows.
Mitigating Android 13’s Restricted Setting checks
Since Android 13, Google has tightened protections for sensitive capabilities (for example, notification access) in apps installed outside official stores via the Restricted Setting mechanism. As ThreatFabric showed in 2023 (e.g., with the SecuriDropper case), apps delivered via session-based installation may encounter different enforcement pathways, potentially reducing user friction and suspicion. ClayRat leverages this nuance to establish persistence with fewer overt warnings compared with straightforward sideloading.
Post-infection capabilities and command-and-control
After installation, ClayRat frequently sets itself as the default SMS handler, gaining priority access to all inbound messages for interception and modification. The malware exfiltrates contacts and uses the device to send bulk SMS, propagating through the victim’s social graph and trusted networks.
Communications with C2 are encrypted, with newer variants protecting traffic using AES‑GCM. The backend can issue up to 12 distinct commands, enabling flexible data theft and remote device control. Beyond SMS and notifications, observed capabilities include accessing call logs, capturing photos, and initiating outbound calls.
Ecosystem response and detection
Zimperium has provided Google with indicators of compromise (IOCs) covering domains, packages, and network artifacts. At publication time, Play Protect flags both known and emerging variants. The residual risk remains highest for users who disable default safeguards, install from untrusted sources, or follow installation instructions distributed via Telegram channels.
Risk mitigation for consumers and enterprises
Out-of-store installs should be treated as high risk. Verify URLs carefully and avoid domains that differ from official brands by even a single character. Check TLS certificates, and keep “Unknown sources” disabled unless there is a clear, vetted business need. Be wary of apps that request to become the default SMS handler or seek notification and Accessibility permissions shortly after install.
Keep Android and apps updated, leave Play Protect enabled, and consider reputable mobile security solutions that can inspect network traffic and flag anomalies such as encrypted C2 to unfamiliar endpoints. Enterprise mobile threat defense (MTD) and MDM/EMM policies can block session installs from untrusted sources and alert on suspicious permission requests.
ClayRat exemplifies how credible social engineering, session-based installation, and aggressive SMS privileges can erode user safeguards and scale attacks rapidly. Reducing exposure requires consistent digital hygiene, user education to spot phishing lures, and swift operational response to new IOCs. If you encounter a suspicious APK or distribution channel, report it to Google and your security provider to help curtail the campaign’s reach.
