ClayRat Android spyware targeting Russian users
Malware Activity
Summary
Hide ▲
Show ▼
ClayRat is an Android spyware campaign targeting users in Russia through Telegram channels and phishing websites that impersonate popular apps such as WhatsApp, TikTok, Google Photos, and YouTube. Once installed, the malware can steal SMS messages, call logs, notifications, device information, contacts, and front-camera photos. It can also send SMS messages, place calls, and propagate by sending malicious links to contacts. The campaign appears to be rapidly evolving, with more than 600 samples and 50 droppers identified over roughly three months. Some droppers use a fake Play Store update screen to help bypass newer Android installation friction, and findings were shared with Google to support protection through Play Protect.
Related Happenings
Grandoreiro and BTMOB banking trojan activity targeting Windows and Android
Malware Activity
First: 27.05.2026 19:10
Last: 27.05.2026 19:10
Sources 1
About this happening:
The **Grandoreiro** and **BTMOB** trojans are being used in active campaigns against **Windows** and **Android** targets across **Europe** and **Latin America**, increasing the ri...
Grandoreiro and BTMOB banking trojan activity targeting Windows and Android
Malware ActivityAbout this happening: The **Grandoreiro** and **BTMOB** trojans are being used in active campaigns against **Windows** and **Android** targets across **Europe** and **Latin America**, increasing the ri...
BTMOB Android RAT no-code builder malware activity
Malware Activity
First: 26.05.2026 17:00
Last: 26.05.2026 17:00
Sources 1
About this happening:
The **BTMOB** Android RAT is spreading through **phishing campaigns** across **Brazil and beyond**, raising the risk of **custom payload delivery** and **remote device takeover**....
BTMOB Android RAT no-code builder malware activity
Malware ActivityAbout this happening: The **BTMOB** Android RAT is spreading through **phishing campaigns** across **Brazil and beyond**, raising the risk of **custom payload delivery** and **remote device takeover**....
Premium Deception Android malware campaign
Campaign
First: 20.05.2026 18:30
Last: 20.05.2026 18:30
Sources 1
About this happening:
The **Premium Deception** campaign used **nearly 250 fake Android apps** to enroll victims in premium mobile billing subscriptions, creating direct fraud risk across multiple coun...
Premium Deception Android malware campaign
CampaignAbout this happening: The **Premium Deception** campaign used **nearly 250 fake Android apps** to enroll victims in premium mobile billing subscriptions, creating direct fraud risk across multiple coun...
Trapdoor Android malvertising and ad-fraud campaign
Campaign
First: 19.05.2026 19:38
Last: 19.05.2026 19:38
Sources 1
About this happening:
The **Trapdoor** campaign is a **self-sustaining malvertising and ad-fraud operation** targeting **Android users** and turning app installs into revenue through threat-actor-contr...
Trapdoor Android malvertising and ad-fraud campaign
CampaignAbout this happening: The **Trapdoor** campaign is a **self-sustaining malvertising and ad-fraud operation** targeting **Android users** and turning app installs into revenue through threat-actor-contr...
Android 17 expands platform security and privacy protections
Security Tool/Service
First: 12.05.2026 20:00
Last: 12.05.2026 20:00
Sources 1
About this happening:
**Android 17** will add a broad set of **Google**-backed security and privacy controls next month, reducing exposure to **banking scam calls**, **device theft**, and **OTP theft**...
Android 17 expands platform security and privacy protections
Security Tool/ServiceAbout this happening: **Android 17** will add a broad set of **Google**-backed security and privacy controls next month, reducing exposure to **banking scam calls**, **device theft**, and **OTP theft**...
Timeline
-
09.10.2025 18:30 2 articles · 7mo ago
ClayRat targets Android users in Russia
Initial DisclosureClayRat is a rapidly evolving Android spyware campaign targeting users in Russia through Telegram channels and lookalike phishing sites that impersonate WhatsApp, Google Photos, TikTok, and YouTube. The malware can exfiltrate SMS messages, call logs, notifications, and device information, take photos with the front camera, place calls, send SMS messages, request default-SMS access, and propagate by sending malicious links to contacts. Some samples act as droppers with a fake Play Store update screen, and Zimperium says it has identified 600 samples and 50 droppers over the last 90 days.
Show sources
- New ClayRat Spyware Targets Android Users via Fake WhatsApp and TikTok Apps — thehackernews.com — 09.10.2025 18:30
- New ClayRat Spyware Targets Android Users via Fake WhatsApp and TikTok Apps — thehackernews.com — 09.10.2025 18:30
-
09.10.2025 15:30 2 articles · 7mo ago
ClayRat spyware targets Russian Android users
Initial DisclosureClayRat is a rapidly evolving Android spyware campaign targeting Russian users through Telegram channels and phishing websites that impersonate WhatsApp, TikTok, Google Photos and YouTube. Researchers identified more than 600 distinct samples and 50 droppers over the past three months, with new obfuscation layers added to evade security tools. The malware abuses Android's default SMS handler role, can read, store and send text messages without alerting users, and can steal SMS messages, call logs, notifications, device identifiers, contact lists and front-camera photos while also sending SMS messages or placing calls from infected devices. Findings were shared with Google to support protection through Google Play Protect.
Show sources
- ClayRat Spyware Campaign Targets Android Users in Russia — www.infosecurity-magazine.com — 09.10.2025 15:30
- ClayRat Spyware Campaign Targets Android Users in Russia — www.infosecurity-magazine.com — 09.10.2025 15:30