ClayRat Android Malware Steals SMS Messages, Call Logs and Capture Victim Photos

In Cybersecurity News - Original News Source is cybersecuritynews.com by Blog Writer

A dangerous new Android spyware variant called ClayRat has emerged as a significant threat to mobile device security worldwide.

First identified in October by the zLabs team, this malware represents a concerning evolution in mobile threats with capabilities that allow attackers to gain near-complete control over infected devices.

The spyware demonstrates sophisticated techniques to steal sensitive personal data while remaining hidden from victims who might otherwise detect and remove it.

ClayRat operates by mimicking legitimate applications, including popular platforms like YouTube and messaging apps, as well as localized services such as Russian taxi and parking applications.

The malware primarily spreads through phishing websites, with over 25 fraudulent domains currently active, hosting malicious files.

Additionally, cloud storage services like Dropbox have been observed distributing the malware, expanding its reach significantly.

Researchers have already detected more than 700 unique APK files in an impressively short timeframe, indicating a large-scale distribution campaign.

Malware impersonating youtube and local connection stabilizer (Source -Zimperium)

The malware enters devices through deceptive installation prompts that request permissions for SMS and accessibility features.

Zimperium security analysts identified that ClayRat employs a sophisticated dropper technique to bypass Android security restrictions.

The encrypted payload remains stored in the application’s assets folder, using AES/CBC decryption with embedded keys to unpack itself during runtime, making detection considerably more challenging for standard security measures.

Opening assets folder and using AES – CBC for decryption (Source – Zimperium)

Once installed, ClayRat escalates its privileges by requesting users enable Accessibility Services alongside default SMS permissions.

This combination of permissions creates a dangerous window for attackers to exploit the device comprehensively.

Persistence Tactics Through Accessibility Service Abuse

The new variant significantly expands its capabilities through aggressive misuse of Accessibility Services.

After obtaining necessary permissions, the malware automatically disables the Play Store through automated screen clicks, removing Google Play Protect security protections without user knowledge.

The spyware monitors all lock screen interactions, including button presses and pattern movements, reconstructing PIN codes, passwords, and patterns with remarkable accuracy.

Request for default SMS and accessibility permission (Source – Zimperium)

When victims enter their credentials, the malware captures this information in SharedPreferences under the key lock_password_storage.

Using the stored credentials, the malware then executes an auto_unlock command that sends gestures to unlock the device automatically, completely removing the victim’s ability to detect the infection through the lock screen.

This technique ensures ClayRat maintains persistent access regardless of attempted device security measures.

Additionally, the malware captures photographs using the device camera, records screen content through MediaProjection APIs, steals SMS messages and call logs, and creates fake notifications to intercept sensitive replies from users.

Follow us on Google News, LinkedIn, and X to Get More Instant UpdatesSet CSN as a Preferred Source in Google.