ClayRat Telegram phishing distribution campaign targeting Android users in Russia
Campaign
Summary
Hide ▲
Show ▼
The ClayRat campaign is an active Android spyware operation that now includes a newer iteration with expanded surveillance and device-control features. Researchers reported keylogging, full screen recording, deceptive overlays, and automated actions that can block shutdown or app removal, while the malware continues to spread through phishing sites and Dropbox-hosted APKs. The campaign has also been observed using 25 active phishing domains impersonating services such as YouTube, and the report says it targets BYOD environments where an infected device could enable data theft, fraud, and unauthorized access.
Related Happenings
Grandoreiro and BTMOB banking trojan activity targeting Windows and Android
Malware Activity
First: 27.05.2026 19:10
Last: 27.05.2026 19:10
Sources 1
About this happening:
The **Grandoreiro** and **BTMOB** trojans are being used in active campaigns against **Windows** and **Android** targets across **Europe** and **Latin America**, increasing the ri...
Grandoreiro and BTMOB banking trojan activity targeting Windows and Android
Malware ActivityAbout this happening: The **Grandoreiro** and **BTMOB** trojans are being used in active campaigns against **Windows** and **Android** targets across **Europe** and **Latin America**, increasing the ri...
Premium Deception Android malware campaign
Campaign
First: 20.05.2026 18:30
Last: 20.05.2026 18:30
Sources 1
About this happening:
The **Premium Deception** campaign used **nearly 250 fake Android apps** to enroll victims in premium mobile billing subscriptions, creating direct fraud risk across multiple coun...
Premium Deception Android malware campaign
CampaignAbout this happening: The **Premium Deception** campaign used **nearly 250 fake Android apps** to enroll victims in premium mobile billing subscriptions, creating direct fraud risk across multiple coun...
Trapdoor Android malvertising and ad-fraud campaign
Campaign
First: 19.05.2026 19:38
Last: 19.05.2026 19:38
Sources 1
About this happening:
The **Trapdoor** campaign is a **self-sustaining malvertising and ad-fraud operation** targeting **Android users** and turning app installs into revenue through threat-actor-contr...
Trapdoor Android malvertising and ad-fraud campaign
CampaignAbout this happening: The **Trapdoor** campaign is a **self-sustaining malvertising and ad-fraud operation** targeting **Android users** and turning app installs into revenue through threat-actor-contr...
FakeWallet crypto wallet phishing campaign targeting users in China
Campaign
First: 21.04.2026 00:52
Last: 21.04.2026 00:52
Sources 1
About this happening:
The **FakeWallet** campaign is actively distributing **26 malicious apps** that impersonate crypto wallets and steal **seed phrases**, putting **users in China** at immediate risk...
FakeWallet crypto wallet phishing campaign targeting users in China
CampaignAbout this happening: The **FakeWallet** campaign is actively distributing **26 malicious apps** that impersonate crypto wallets and steal **seed phrases**, putting **users in China** at immediate risk...
Latest development: 24.04.2026 14:48
Kaspersky said the FakeWallet campaign is gaining momentum with new tactics, including phishing apps published in the Apple App Store, cold wallet impersonation, and phishing notifications, and suspected it may be the work of threat actors linked to SparkKitty because some infected apps use OCR to steal wallet recovery phrases and the two campaigns share native Chinese-speaking operators and cryptocurrency targeting.
Mirax Android banking trojan with residential proxy nodes
Malware Activity
First: 13.04.2026 17:30
Last: 13.04.2026 17:30
Sources 1
About this happening:
Mirax is spreading across **Europe** with **remote access** and **residential proxy** features, increasing the risk of device compromise, data theft, and traffic abuse. The Androi...
Mirax Android banking trojan with residential proxy nodes
Malware ActivityAbout this happening: Mirax is spreading across **Europe** with **remote access** and **residential proxy** features, increasing the risk of device compromise, data theft, and traffic abuse. The Androi...
Timeline
-
09.10.2025 18:30 4 articles · 7mo ago
ClayRat Android spyware campaign uses Telegram and phishing sites
Technical Analysis UpdateClayRat is a rapidly evolving Android spyware campaign targeting users in Russia through Telegram channels and lookalike phishing websites that impersonate WhatsApp, Google Photos, TikTok, and YouTube. Some samples act as droppers with a fake Play Store update screen and an encrypted payload hidden in app assets, then use standard HTTP to reach C2 infrastructure, request the default SMS app, and enable collection of SMS messages, call logs, notifications, device information, photos, phone calls, and installed-app lists; the malware can also self-propagate by sending malicious links to contacts. Zimperium identified at least 600 samples and 50 droppers over the last 90 days.
Show sources
- New ClayRat Spyware Targets Android Users via Fake WhatsApp and TikTok Apps — thehackernews.com — 09.10.2025 18:30
- New ClayRat Spyware Targets Android Users via Fake WhatsApp and TikTok Apps — thehackernews.com — 09.10.2025 18:30
- New Android spyware ClayRat imitates WhatsApp, TikTok, YouTube — www.bleepingcomputer.com — 10.10.2025 00:06
- ClayRat Android Spyware Expands Capabilities — www.infosecurity-magazine.com — 08.12.2025 18:45