ClayRat Spyware Evolves with New Android Threats
▼ Summary
– A new, more powerful version of ClayRat Android spyware has been identified, featuring expanded surveillance and device-control functions.
– The updated malware combines SMS privileges with Accessibility Services abuse to perform automated actions, including keylogging and full screen recording.
– It is distributed through phishing sites and over 700 unique APKs, often mimicking legitimate apps like YouTube or regional services.
– Once installed, it tricks users into granting permissions, disables security features like Google Play Protect, and uses overlays to hide its malicious activity.
– The spyware poses a serious enterprise risk, as it can steal data and provide unauthorized access to corporate systems, especially in BYOD environments.
A newly discovered version of the ClayRat Android spyware demonstrates a dangerous evolution, packing significantly expanded surveillance and remote-control functions that threaten both personal privacy and corporate security. Cybersecurity analysts have tracked this malware since its initial appearance last October, when it focused on stealing SMS messages, call logs, and photos. The latest iteration, however, represents a major escalation in capability and stealth.
The spyware’s increased potency stems from its sophisticated abuse of Android’s Accessibility Services, combined with permissions to act as the default SMS application. This powerful combination allows the malware to automate a vast range of actions, effectively seizing near-total control of a compromised smartphone or tablet. A core threat is its advanced keylogging function, which meticulously captures every PIN, password, and screen pattern entered by the user.
Further enhancements make the software alarmingly persistent. It utilizes the MediaProjection API to conduct full screen recording and deploys deceptive overlays, like black screens or fake system update prompts, to mask its malicious activities. Perhaps most insidiously, it can execute automated screen taps designed to prevent a user from uninstalling the application or shutting down the device. To spread, the malware operators have created over 700 unique APK files, distributing them through phishing websites and file-sharing platforms. Researchers have identified more than 25 active phishing domains impersonating legitimate services, from global video platforms to regional utility apps.
The infection process is carefully engineered to trick users into surrendering control. After a victim installs the malicious app, it requests permission to manage SMS. It then guides the user to enable Accessibility Services, framing this as a necessary step for functionality. Once these critical permissions are granted, ClayRat immediately disables the Google Play Store to circumvent Google Play Protect security scans. Its credential theft mechanism is particularly invasive, monitoring lock-screen activity to reconstruct a user’s exact PIN, password, or pattern. This data is stored and later used by the malware to unlock the device autonomously through automated gestures.
The spyware also actively harvests information from notifications and SMS message flows, collecting replies to fake alerts. For enterprises, this behavior creates a substantial risk, especially in environments where employees use their personal devices for work. A single infected device in a BYOD (Bring Your Own Device) setup can act as a gateway for large-scale data theft, financial fraud, and unauthorized access to internal corporate networks and systems. The malware’s focus on intercepting authentication prompts and screen content means that even multi-factor authentication codes and sensitive corporate communications are vulnerable.
As this threat continues to develop more advanced spyware, remote-control, and lock-screen manipulation features, the need for robust, device-level mobile security has never been more critical. Defenses that can be bypassed by abusing system permissions are no longer sufficient to protect against such pervasive and automated threats.
(Source: Info Security)
