Find notable cyber news and cases, enriched with sources, timelines, and signals.
Home Watchlists Beta Browse News Feed Stats About Contact

ClayRat Android spyware targeting Russian users

Malware Activity
First reported
Last updated
Happening score
H score 33
2 unique sources, 2 articles

Summary

Hide ▲

ClayRat is an Android spyware campaign targeting users in Russia through Telegram channels and phishing websites that impersonate popular apps such as WhatsApp, TikTok, Google Photos, and YouTube. Once installed, the malware can steal SMS messages, call logs, notifications, device information, contacts, and front-camera photos. It can also send SMS messages, place calls, and propagate by sending malicious links to contacts. The campaign appears to be rapidly evolving, with more than 600 samples and 50 droppers identified over roughly three months. Some droppers use a fake Play Store update screen to help bypass newer Android installation friction, and findings were shared with Google to support protection through Play Protect.

Related Happenings

Asin Android spyware distribution through fake utility, PDF, and war-map apps

Malware Activity
H score22 First: 05.06.2026 17:53 Last: 05.06.2026 17:53 Sources 1

About this happening: The **Asin** Android spyware activity is being distributed through fake utility, PDF, and war-map apps, putting **Arabic-speaking users** at risk of covert surveillance on **Andro...

Open Happening

Google rolls out Android fake call detection against AI impersonation scam calls

Security Tool/Service
H score20 First: 03.06.2026 12:02 Last: 03.06.2026 12:02 Sources 1

About this happening: **Google** is rolling out **fake call detection** on **Android 12 and later** devices this month, giving users a built-in warning when a caller may be using **AI voice-cloning** o...

Open Happening

WeedHack YouTube and SEO poisoning campaign targeting Minecraft players

Campaign
H score73 First: 03.06.2026 00:54 Last: 03.06.2026 00:54 Sources 1

About this happening: **WeedHack** is a **Minecraft-focused malware-as-a-service (MaaS)** campaign that uses **YouTube** and **SEO poisoning** to push malicious **mods, clients, cheats, and utilities**...

Open Happening

Grandoreiro and BTMOB banking trojan activity targeting Windows and Android

Malware Activity
H score25 First: 27.05.2026 19:10 Last: 27.05.2026 19:10 Sources 1

About this happening: **BTMOB** is an **Android remote access trojan** sold as **malware-as-a-service** on the **clearweb** and in private **Telegram** channels, with a builder that generates customize...

Open Happening

BTMOB Android RAT no-code builder malware activity

Malware Activity
H score28 First: 26.05.2026 17:00 Last: 26.05.2026 17:00 Sources 1

About this happening: **BTMOB** is an **Android RAT** sold as **malware-as-a-service** on the **clearweb** and in private **Telegram** channels, with a **no-code APK builder** that generates customized...

Latest development: 29.05.2026 00:10

BTMOB is openly advertised on the clearweb and in private Telegram channels as a malware-as-a-service (MaaS) platform with an APK builder that customizes phishing payloads without coding. The Android RAT targets users mainly in Brazil and Latin America, uses phishing sites masquerading as streaming services, cryptocurrency mining platforms, and Google Play portals, and custom lures have included an Argentinian government agency theme.

Open Happening

Timeline

  1. 09.10.2025 18:30 2 articles · 8mo ago

    ClayRat targets Android users in Russia

    Initial Disclosure

    ClayRat is a rapidly evolving Android spyware campaign targeting users in Russia through Telegram channels and lookalike phishing sites that impersonate WhatsApp, Google Photos, TikTok, and YouTube. The malware can exfiltrate SMS messages, call logs, notifications, and device information, take photos with the front camera, place calls, send SMS messages, request default-SMS access, and propagate by sending malicious links to contacts. Some samples act as droppers with a fake Play Store update screen, and Zimperium says it has identified 600 samples and 50 droppers over the last 90 days.

    Show sources
    Open in new tab
  2. 09.10.2025 15:30 2 articles · 8mo ago

    ClayRat spyware targets Russian Android users

    Initial Disclosure

    ClayRat is a rapidly evolving Android spyware campaign targeting Russian users through Telegram channels and phishing websites that impersonate WhatsApp, TikTok, Google Photos and YouTube. Researchers identified more than 600 distinct samples and 50 droppers over the past three months, with new obfuscation layers added to evade security tools. The malware abuses Android's default SMS handler role, can read, store and send text messages without alerting users, and can steal SMS messages, call logs, notifications, device identifiers, contact lists and front-camera photos while also sending SMS messages or placing calls from infected devices. Findings were shared with Google to support protection through Google Play Protect.

    Show sources
    Open in new tab