ClayRat Android Spyware Masquerades as WhatsApp, TikTok, YouTube, and Google Photos

Advisory ID: NCC-CSIRT-2025-018

Summary: 

Researchers have discovered ClayRat, a new Android spyware disguised as popular apps like WhatsApp and TikTok. It spreads through Telegram and fake websites, stealing messages, photos, and other personal data. The malware can also take secret pictures and send malicious links to contacts, making it hard to detect and remove. 

Damage/Probability: Critical/High

Product(s): 

• Android mobile devices (APK (Android Package Kit) side-loaded or installed from untrusted stores / Telegram channels)
• Popular mobile app brands used as lures (WhatsApp, TikTok, YouTube, Google Photos)

Version(s): 

Not version-specific, it affects affects Android devices where a malicious APK is installed and granted required roles/permissions.

Platform(s): 

• Android OS (various versions).
• Devices with SMS/notification privileges and browsers/Telegram clients used to download APK droppers.

Description: 

Zimperium security researchers have discovered a new Android spyware called ClayRat, which pretends to be popular apps like WhatsApp, TikTok, YouTube, and Google Photos. The attackers share these fake apps through Telegram channels and phishing websites, often using lookalike domains and fake reviews to appear genuine.

When users download and install these fake apps manually, they are tricked into giving the spyware special permissions, such as access to text messages and notifications. This allows ClayRat to read messages (including security codes), check call logs, view contacts, take photos, and send stolen data to the attackers’ servers. It can also send harmful links to the victim’s contacts, spreading the infection further.

The malware is constantly changing, with over 600 different versions found in just a few months. It also uses advanced hiding techniques to avoid detection by antivirus software, making it difficult to remove once installed. Because it spreads through public channels like Telegram, the spyware can reach a large number of victims very quickly.

Impacts: 

• Disclosure of sensitive communications (SMS, verification codes) and account takeover risk.
• Loss of privacy (photos, location, microphone/camera capabilities).
• Rapid lateral spread via messages to contacts and Telegram channels, increasing scale of compromise.
• Potential secondary payloads installed by the loader (additional RATs, credential stealers).

Solutions: 

1. Deploy Mobile Threat Defense (MTD) and Google Play Protect to detect malicious APKs and abnormal behaviors.
2. Validate apps against an approved allowlist; remove any mismatched packages immediately.
3. Block malicious domains, phishing sites, and suspicious Telegram channels at the DNS/network level.
4. Disable side-loading on managed devices; allow installations only from the Play Store or enterprise app store.
5. For suspected devices, remove unknown APKs, revoke sensitive permissions, rotate credentials, and enforce phishing-resistant MFA.
6. Isolate and analyze compromised devices, collecting relevant artifacts for forensics.
7. Educate users to avoid installing apps from untrusted links or channels and to verify app sources.
8. Keep MTD/antivirus and EDR signatures updated and configure alerts for suspicious app or SMS-handler activities.

References:

• https://www.bleepingcomputer.com/news/security/new-android-spyware-clayrat-imitates-whatsapp-tiktok-youtube/

• https://zimperium.com/blog/clayrat-a-new-android-spyware-targeting-russia

• https://thehackernews.com/2025/10/new-clayrat-spyware-targets-android.html

• https://www.csoonline.com/article/4070281/clayrat-spyware-turns-phones-into-distribution-hubs-via-sms-and-telegram.html

• https://securityaffairs.com/183169/malware/clayrat-campaign-uses-telegram-and-phishing-sites-to-distribute-android-spyware.html