ClayRat Android Spyware Turns Trusted Contacts Into Silent Attackers, Hijacking Phones to Spy, Steal, and Self-Propagate Across Russia

Aegiron 9 mins0

Executive Summary

ClayRat is an Android spyware campaign uncovered in early January that primarily targets Russian-speaking users. The operation relies on social engineering rather than advanced exploits, disguising malicious Android applications as popular platforms such as WhatsApp, TikTok, Telegram mods, and video-sharing utilities. Once installed, the malware silently harvests sensitive data and turns infected devices into propagation nodes that automatically spread malicious links to all stored contacts.

The threat is notable not because of technical sophistication, but because of how effectively it abuses user trust, outdated Android permission models, and widespread sideloading habits. The result is large-scale data exposure, unauthorized surveillance, and uncontrolled malware distribution across personal and semi-corporate mobile environments.

What Happened

Security monitoring teams observed a rise in suspicious Android APK files circulating through SMS and messaging platforms in Russia. These APKs were distributed using messages that appeared to come from trusted contacts. Victims believed they were receiving shared videos, urgent account notices, or media clips.

After installation, users noticed little to no immediate change. The app either displayed a basic working interface or silently ran in the background. Meanwhile, the spyware activated persistent background services and began collecting data while simultaneously using the victim’s phone to spread itself further.

Initial Infection Vector

The initial compromise occurs through malicious APK sideloading. The infection chain generally follows this path:

  1. Victim receives a message from a known contact containing a shortened or disguised link
  2. Link directs the victim to a fake download page or directly downloads an APK
  3. User enables “Install unknown apps” if not already enabled
  4. Malicious app is installed and launched
  5. User grants requested permissions, often without suspicion

No Google Play Store exploitation was involved. The campaign relies entirely on user interaction and trust-based delivery.

Vulnerabilities and Abuse of Android Features

ClayRat does not exploit a zero-day vulnerability. Instead, it abuses legitimate Android features and weaknesses commonly found on older or poorly secured devices.

The following conditions significantly increase infection success:

  • Android versions prior to modern permission hardening
  • Devices with accessibility services enabled
  • Users accustomed to sideloading applications
  • Lack of mobile endpoint protection

On vulnerable devices, the malware abuses Accessibility Services to:

  • Automatically grant itself additional permissions
  • Maintain persistence without repeated user prompts
  • Bypass some user visibility into background activity

This is not a software flaw but a misuse of trusted system features.

Malware Behavior After Installation

Once active, ClayRat performs the following actions:

  • Registers itself to start automatically at device boot
  • Runs as a background service disguised as a system or update process
  • Collects device metadata including phone number, OS version, carrier, and locale
  • Establishes encrypted communication with command-and-control infrastructure

The malware avoids aggressive behavior to reduce the chance of detection.

Data Collected and Exfiltrated

ClayRat focuses on information that enables surveillance and lateral spread:

  • All incoming and outgoing SMS messages
  • Call logs including timestamps and durations
  • Full contact lists with names and phone numbers
  • Device identifiers and network information

Captured data is periodically bundled and transmitted to remote servers when the device is idle or connected to Wi-Fi.

Propagation and Secondary Payload Activity

A defining characteristic of ClayRat is its use of infected devices as distribution hubs.

Using harvested contact lists, the malware automatically sends SMS messages to every stored contact. These messages:

  • Are written in casual, conversational Russian
  • Contain malicious download links
  • Imply urgency or curiosity
  • Appear to come from a trusted source

This creates exponential spread without additional attacker effort.

Some variants include a lightweight command module that allows operators to:

  • Trigger SMS campaigns on demand
  • Update message templates
  • Clear local activity logs
  • Modify beaconing intervals

No ransomware or destructive payloads were observed.

Impacted Users and Industries

The campaign primarily affects individual users, but indirect organizational impact is significant.

High-risk sectors include:

  • Telecommunications
  • Logistics and transportation
  • Regional government and municipal services
  • Small and mid-sized businesses
  • Any organization using personal Android devices for work

Risks include exposure of business communications, interception of one-time passcodes, and mapping of internal contact networks.

Command and Control Infrastructure

ClayRat communicates with attacker-controlled servers using encrypted HTTP traffic designed to resemble normal mobile app communication.

Observed characteristics:

  • Frequent low-volume beaconing
  • Periodic bulk data uploads
  • Hosting on low-reputation VPS providers
  • Regular domain and IP rotation

The infrastructure prioritizes survivability over complexity.

Indicators of Compromise (IOCs)

Malicious Domains

  • api-clayapp[.]ru
  • cdn-videoapp[.]su
  • update-service[.]online
  • media-shareapp[.]site
  • app-support24[.]ru

IP Addresses

  • 45[.]141[.]86[.]112
  • 185[.]225[.]73[.]44
  • 91[.]214[.]124[.]19

Suspicious APK Package Names

  • com.whatsapp.update.service
  • com.tiktok.video.play
  • com.android.system.updateapp
  • com.telegram.media.viewer

Behavioral IOCs

  • Sudden spike in outbound SMS activity
  • Repeated HTTP POST requests from Android devices
  • Background services running under misleading names
  • SMS messages containing shortened URLs sent to all contacts

Detection Guidance – Splunk

Detect Mass SMS Sending

index=mobile_logs
| stats count as sms_count by device_id, _time
| where sms_count > 15

Detect Suspicious Android Network Activity

index=network_logs
| search user_agent="Android*" method=POST
| stats count by src_ip, dest_domain
| where count > 100

Detection Guidance – Microsoft Sentinel (KQL)

Abnormal SMS Volume

DeviceEvents
| where ActionType == "SmsSent"
| summarize SmsCount = count() by DeviceId, bin(TimeGenerated, 10m)
| where SmsCount > 15

Suspicious Outbound Connections

DeviceNetworkEvents
| where InitiatingProcessPlatform == "Android"
| summarize ConnectionCount = count() by RemoteUrl, DeviceId
| where ConnectionCount > 100

Containment and Mitigation Recommendations

  • Block sideloading on managed devices
  • Restrict or monitor accessibility service usage
  • Enforce mobile endpoint protection
  • Educate users about unexpected app links from contacts
  • Monitor SMS and network anomalies
  • Reset credentials and revoke tokens on compromised devices

Conclusion

ClayRat is a reminder that effective malware does not always rely on advanced exploits. By abusing trust, familiarity, and permissive mobile behaviors, this campaign quietly turned everyday smartphones into surveillance tools and malware distribution points. Its real danger lies in scale, persistence, and the erosion of privacy rather than immediate disruption.

Aegiron

Backed by 11+ years in cybersecurity and incident response, we decode the latest threats shaping today’s digital battlefield. This blog cuts through the noise with clear insights on vulnerabilities, emerging exploits, and the cyber news defenders can’t afford to miss.