CyberHappenings logo
Home Browse About

Track cybersecurity events as they unfold. Sourced timelines. Filter, sort, and browse. Fast, privacy‑respecting. No invasive ads, no tracking.

ClayRat Spyware Campaign Targets Android Users in Russia

First reported
Last updated
3 unique sources, 4 articles

Summary

Hide ▲

A rapidly evolving Android spyware campaign known as ClayRat continues to target Russian users through Telegram channels and phishing websites. The spyware disguises itself as trusted apps such as WhatsApp, TikTok, Google Photos, and YouTube to trick users into downloading malicious software. Over the past three months, researchers identified more than 600 distinct ClayRat samples and 50 droppers, each version introducing new obfuscation layers to evade security tools. Once installed, the spyware can exfiltrate call logs, SMS messages, and notifications, take photos using the front camera, and send messages or place calls directly from the victim’s phone. The spyware’s operators employ a multifaceted strategy combining impersonation, deception, and automation. Distribution occurs mainly through phishing sites, Telegram channels, step-by-step installation guides, and session-based installers posing as Play Store updates. ClayRat’s most concerning feature is its abuse of Android's default SMS handler role, allowing it to read, store, and send text messages without alerting users. This access is exploited to spread itself further, sending messages to every saved contact. A new Android remote access trojan (RAT) called Fantasy Hub has been disclosed, sold as a Malware-as-a-Service (MaaS) product on Russian-speaking Telegram channels. Fantasy Hub enables device control and espionage, allowing threat actors to collect SMS messages, contacts, call logs, images, and videos. The malware abuses the default SMS privileges to obtain access to SMS messages, contacts, camera, and files, and uses fake overlays to obtain banking credentials associated with Russian financial institutions. Fantasy Hub is available for $200 per week, $500 per month, or $4,500 per year, and its C2 panel provides details about compromised devices and subscription status. Zimperium's systems detected ClayRat variants as soon as they appeared, before public disclosures. The company shared its findings with Google, helping ensure protection through Google Play Protect. Security experts recommend a layered mobile security posture to reduce installation paths, detect compromise, and limit the blast radius. Users should only install applications from authorized Play/App stores.

Timeline

  1. 11.11.2025 13:44 1 articles · 23h ago

    Fantasy Hub MaaS Product Sold on Telegram Channels

    Fantasy Hub is a new Android RAT sold as a MaaS product on Russian-speaking Telegram channels. It enables device control and espionage, allowing threat actors to collect SMS messages, contacts, call logs, images, and videos. The malware abuses the default SMS privileges to obtain access to SMS messages, contacts, camera, and files, and uses fake overlays to obtain banking credentials associated with Russian financial institutions. Fantasy Hub is available for $200 per week, $500 per month, or $4,500 per year, and its C2 panel provides details about compromised devices and subscription status.

    Show sources
    Open in new tab
  2. 09.10.2025 15:30 4 articles · 1mo ago

    ClayRat Spyware Campaign Targets Android Users in Russia

    ClayRat uses AES-GCM encryption for its C2 communications in its latest versions. ClayRat can capture notifications and push data from infected devices. ClayRat can fetch a proxy WebSocket URL, append device ID, and initialize a connection object. ClayRat can resend an SMS to a number received from the C2 server. ClayRat uses a session-based installation method to bypass Android 13+ restrictions and reduce user suspicion. Fantasy Hub, a new Android RAT, is sold as a MaaS product on Russian-speaking Telegram channels, enabling device control and espionage, and abusing the default SMS privileges to obtain access to SMS messages, contacts, camera, and files.

    Show sources
    Open in new tab

Information Snippets

Similar Happenings

Malicious Android apps on Google Play downloaded 42 million times

Between June 2024 and May 2025, 239 malicious Android apps on Google Play were downloaded over 42 million times. These apps primarily targeted mobile payments and financial information using various social engineering techniques. The manufacturing and energy sectors saw significant increases in mobile attacks, with the energy sector recording a 387% annual increase. The geographic impact highlighted substantial increases in attacks targeting India, the United States, and Canada, with notable spikes in Italy and Israel. IoT devices, particularly routers, were also heavily targeted, with Mirai and Gafgyt malware variants accounting for 75% of all blocked IoT requests. The shift to social engineering attacks reflects improved security standards in traditional payment methods. Zscaler observed a 67% year-over-year growth in mobile malware, with banking malware reaching 4.89 million transactions in 2025. Three notable malware families—Anatsa, Android Void, and Xnotice—were highlighted for their impact on Android users.

Open in new tab

BankBot-YNRK and DeliveryRAT Android Trojans Stealing Financial Data

Two Android trojans, BankBot-YNRK and DeliveryRAT, are stealing financial data from compromised devices. BankBot-YNRK targets Android devices running versions 13 and below, while DeliveryRAT is distributed as malware-as-a-service (MaaS) via Telegram. Both trojans use sophisticated techniques to evade detection and harvest sensitive information. BankBot-YNRK checks for virtualized environments and specific device models to ensure it runs only on real devices. It targets financial apps and uses accessibility services to perform malicious actions. DeliveryRAT, meanwhile, is advertised through a Telegram bot and targets Russian Android users, often masquerading as legitimate apps. Both trojans have been active since mid-2024, with BankBot-YNRK focusing on Android devices and DeliveryRAT targeting a broader range of apps and services.

Open in new tab

Herodotus Android malware evades detection with human-like typing

A new Android malware family, Herodotus, uses random typing delays to mimic human behavior and evade detection by security software. The malware is offered as a service to financially motivated cybercriminals and is currently targeting Italian and Brazilian users through SMS phishing. Herodotus bypasses Accessibility permission restrictions in Android 13 and later, allowing it to interact with the user interface and steal sensitive information. The malware includes a 'humanizer' mechanism that introduces random delays in text input to avoid detection by behavioral anti-fraud solutions. It also features a control panel for custom SMS texts, overlay pages for credential theft, and SMS stealing for two-factor authentication interception. Herodotus is spread by multiple threat actors, with seven distinct subdomains detected. The malware is under active development and targets financial organizations in the U.S., Turkey, the U.K., and Poland, along with cryptocurrency wallets and exchanges. It is designed to perform device takeover (DTO) attacks and can steal two-factor authentication (2FA) codes sent via SMS, intercept screen content, grab the lockscreen PIN or pattern, and install remote APK files.

Open in new tab

ToSpy and ProSpy spyware targeting UAE users

Two spyware families, ToSpy and ProSpy, are targeting Android users in the UAE by masquerading as the ToTok app and Signal encryption plugins. These campaigns have been active since 2022 and 2024, respectively, and exploit the popularity and local trust of ToTok to infiltrate devices and exfiltrate sensitive data. ToTok, a messaging app developed by G42 and supported by the UAE government, was exposed as spyware in 2019 and removed from major app stores. Despite this, it continues to circulate outside official channels, providing cover for malicious actors. The spyware families request invasive permissions to steal device information, contacts, SMS messages, and various file types. Google Play Protect is designed to mitigate these threats, but users are still at risk if they download apps from untrusted sources. The spyware campaigns are distributed via fake websites and social engineering, establishing persistent access to compromised devices. The ProSpy campaign was discovered in June 2025 and has been ongoing since 2024, while the ToSpy campaign began on June 30, 2022, and is currently ongoing. The spyware families use deceptive websites masquerading as legitimate services to distribute malware. The spyware families exfiltrate device information, SMS messages, contact lists, files, and a list of installed applications. The spyware families use Android's AlarmManager to repeatedly restart the foreground service if it gets terminated. The spyware families automatically launch the necessary background services upon a device reboot.

Open in new tab

Klopatra Android Trojan Conducts Nighttime Bank Transfers

A new Android Trojan named Klopatra has been identified, capable of performing unauthorized bank transfers while the device is inactive. The malware targets users in Italy and Spain, with over 3,000 devices infected. Klopatra disguises itself as the Mobdro streaming app and IPTV applications, leveraging their popularity to bypass security measures. It employs advanced techniques to evade detection and analysis, including anti-sandboxing methods, a commercial packer, and Hidden Virtual Network Computing (VNC) for remote control. The Trojan operates during nighttime hours, draining victims' bank accounts without alerting them. Klopatra uses Accessibility Services to gain extensive control over the device, allowing attackers to simulate user interactions remotely. It captures screenshots, records screen activity, and overlays fake login screens to steal credentials. The malware checks for device inactivity and charging status before executing its operations, ensuring the victim remains unaware until the next day. The malware is operated by a Turkish-speaking criminal group as a private botnet, with 40 distinct builds discovered since March 2025. The malware integrates Virbox, a commercial-grade code protector, to obstruct reverse-engineering and analysis. It uses native libraries to reduce its Java/Kotlin footprint and employs NP Manager string encryption in recent builds. Klopatra features several anti-debugging mechanisms, runtime integrity checks, and emulator detection capabilities. The malware supports all required remote actions for performing manual bank transactions, including simulating taps, swiping, and long-pressing. Klopatra uses Cloudflare to hide its digital tracks, but a misconfiguration exposed origin IP addresses, linking the C2 servers to the same provider. The malware has been linked to two campaigns, each counting 3,000 unique infections.

Open in new tab