Find notable cyber news and cases, enriched with sources, timelines, and signals.
Home Browse News Feed Stats Watchlists Beta About Contact

ClayRat Android spyware distribution and surveillance activity

Malware Activity
First reported
Last updated
Happening score
H score 26
2 unique sources, 2 articles

Summary

Hide ▲

The ClayRat Android spyware campaign has added a newer build with expanded surveillance and device-control features. Zimperium said the update adds keylogging, screen recording, deceptive overlays, and automated taps that can help block shutdown or app removal, building on earlier abuse of SMS, call logs, photos, and mass texting. The spyware is distributed through phishing sites and APKs hosted on Dropbox, with the report noting more than 700 APKs and over 25 active phishing domains. The activity remains a risk for BYOD environments because a single infected Android device can expose notifications, authentication prompts, and screen content, enabling data theft, fraud, and unauthorized access.

Related Happenings

Grandoreiro and BTMOB banking trojan activity targeting Windows and Android

Malware Activity
First: 27.05.2026 19:10 Last: 27.05.2026 19:10 Sources 1

About this happening: The **Grandoreiro** and **BTMOB** trojans are being used in active campaigns against **Windows** and **Android** targets across **Europe** and **Latin America**, increasing the ri...

Open Happening

BTMOB Android RAT no-code builder malware activity

Malware Activity
First: 26.05.2026 17:00 Last: 26.05.2026 17:00 Sources 1

About this happening: The **BTMOB** Android RAT is spreading through **phishing campaigns** across **Brazil and beyond**, raising the risk of **custom payload delivery** and **remote device takeover**....

Open Happening

Premium Deception Android malware campaign

Campaign
First: 20.05.2026 18:30 Last: 20.05.2026 18:30 Sources 1

About this happening: The **Premium Deception** campaign used **nearly 250 fake Android apps** to enroll victims in premium mobile billing subscriptions, creating direct fraud risk across multiple coun...

Open Happening

Trapdoor Android malvertising and ad-fraud campaign

Campaign
First: 19.05.2026 19:38 Last: 19.05.2026 19:38 Sources 1

About this happening: The **Trapdoor** campaign is a **self-sustaining malvertising and ad-fraud operation** targeting **Android users** and turning app installs into revenue through threat-actor-contr...

Open Happening

Android 17 expands platform security and privacy protections

Security Tool/Service
First: 12.05.2026 20:00 Last: 12.05.2026 20:00 Sources 1

About this happening: **Android 17** will add a broad set of **Google**-backed security and privacy controls next month, reducing exposure to **banking scam calls**, **device theft**, and **OTP theft**...

Open Happening

Timeline

  1. 10.10.2025 00:06 3 articles · 7mo ago

    ClayRat Android spyware disclosure and defense response

    Technical Analysis Update

    Zimperium identified ClayRat as a new Android spyware campaign targeting Russian users through Telegram channels and lookalike websites that impersonate WhatsApp, Google Photos, TikTok, and YouTube. The malware uses session-based installation to bypass Android 13+ restrictions, and some samples act as droppers with a fake Play Store update screen and an encrypted payload in app assets; once active, it can steal SMS, call logs, notifications, and photos, and it can use infected devices to propagate by sending SMS to contacts. After Zimperium shared full IoCs through the App Defense Alliance, Google Play Protect began blocking known and new variants.

    Show sources
    Open in new tab