ClayRat Android spyware distribution and surveillance activity
Malware Activity
Summary
Hide ▲
Show ▼
The ClayRat Android spyware campaign has added a newer build with expanded surveillance and device-control features. Zimperium said the update adds keylogging, screen recording, deceptive overlays, and automated taps that can help block shutdown or app removal, building on earlier abuse of SMS, call logs, photos, and mass texting. The spyware is distributed through phishing sites and APKs hosted on Dropbox, with the report noting more than 700 APKs and over 25 active phishing domains. The activity remains a risk for BYOD environments because a single infected Android device can expose notifications, authentication prompts, and screen content, enabling data theft, fraud, and unauthorized access.
Related Happenings
Asin Android spyware distribution through fake utility, PDF, and war-map apps
Malware Activity
H score22
First: 05.06.2026 17:53
Last: 05.06.2026 17:53
Sources 1
About this happening:
The **Asin** Android spyware activity is being distributed through fake utility, PDF, and war-map apps, putting **Arabic-speaking users** at risk of covert surveillance on **Andro...
Asin Android spyware distribution through fake utility, PDF, and war-map apps
Malware ActivityAbout this happening: The **Asin** Android spyware activity is being distributed through fake utility, PDF, and war-map apps, putting **Arabic-speaking users** at risk of covert surveillance on **Andro...
Google rolls out Android fake call detection against AI impersonation scam calls
Security Tool/Service
H score20
First: 03.06.2026 12:02
Last: 03.06.2026 12:02
Sources 1
About this happening:
**Google** is rolling out **fake call detection** on **Android 12 and later** devices this month, giving users a built-in warning when a caller may be using **AI voice-cloning** o...
Google rolls out Android fake call detection against AI impersonation scam calls
Security Tool/ServiceAbout this happening: **Google** is rolling out **fake call detection** on **Android 12 and later** devices this month, giving users a built-in warning when a caller may be using **AI voice-cloning** o...
BTMOB Android MaaS platform expands low-code phishing payload production
Threat Actor Meta
H score21
First: 29.05.2026 00:10
Last: 29.05.2026 00:10
Sources 1
About this happening:
**BTMOB** has been exposed as a **malware-as-a-service** Android trojan with a **builder interface**, making it easier for cybercriminals to mass-produce tailored phishing payload...
BTMOB Android MaaS platform expands low-code phishing payload production
Threat Actor MetaAbout this happening: **BTMOB** has been exposed as a **malware-as-a-service** Android trojan with a **builder interface**, making it easier for cybercriminals to mass-produce tailored phishing payload...
Grandoreiro and BTMOB banking trojan activity targeting Windows and Android
Malware Activity
H score25
First: 27.05.2026 19:10
Last: 27.05.2026 19:10
Sources 1
About this happening:
**BTMOB** is an **Android remote access trojan** sold as **malware-as-a-service** on the **clearweb** and in private **Telegram** channels, with a builder that generates customize...
Grandoreiro and BTMOB banking trojan activity targeting Windows and Android
Malware ActivityAbout this happening: **BTMOB** is an **Android remote access trojan** sold as **malware-as-a-service** on the **clearweb** and in private **Telegram** channels, with a builder that generates customize...
BTMOB Android RAT no-code builder malware activity
Malware Activity
H score28
First: 26.05.2026 17:00
Last: 26.05.2026 17:00
Sources 1
About this happening:
**BTMOB** is an **Android RAT** sold as **malware-as-a-service** on the **clearweb** and in private **Telegram** channels, with a **no-code APK builder** that generates customized...
BTMOB Android RAT no-code builder malware activity
Malware ActivityAbout this happening: **BTMOB** is an **Android RAT** sold as **malware-as-a-service** on the **clearweb** and in private **Telegram** channels, with a **no-code APK builder** that generates customized...
Latest development: 29.05.2026 00:10
BTMOB is openly advertised on the clearweb and in private Telegram channels as a malware-as-a-service (MaaS) platform with an APK builder that customizes phishing payloads without coding. The Android RAT targets users mainly in Brazil and Latin America, uses phishing sites masquerading as streaming services, cryptocurrency mining platforms, and Google Play portals, and custom lures have included an Argentinian government agency theme.
Timeline
-
10.10.2025 00:06 3 articles · 8mo ago
ClayRat Android spyware disclosure and defense response
Technical Analysis UpdateZimperium identified ClayRat as a new Android spyware campaign targeting Russian users through Telegram channels and lookalike websites that impersonate WhatsApp, Google Photos, TikTok, and YouTube. The malware uses session-based installation to bypass Android 13+ restrictions, and some samples act as droppers with a fake Play Store update screen and an encrypted payload in app assets; once active, it can steal SMS, call logs, notifications, and photos, and it can use infected devices to propagate by sending SMS to contacts. After Zimperium shared full IoCs through the App Defense Alliance, Google Play Protect began blocking known and new variants.
Show sources
- New Android spyware ClayRat imitates WhatsApp, TikTok, YouTube — www.bleepingcomputer.com — 10.10.2025 00:06
- New Android spyware ClayRat imitates WhatsApp, TikTok, YouTube — www.bleepingcomputer.com — 10.10.2025 00:06
- ClayRat Android Spyware Expands Capabilities — www.infosecurity-magazine.com — 08.12.2025 18:45