A cybersecurity vendor has discovered a new Android malware strain that spreads by infecting a handset and then sending malicious links to every contact in the victim’s phone book.
On Thursday, mobile security provider Zimperium warned about the “ClayRat” malware, which can spy on and steal data from infected Android phones. This includes intercepting SMS messages, exfiltrating call logs, and secretly taking photos with the camera.
The malware will also use the infected Android phone to target other victims. “ClayRat also spreads aggressively by sending malicious links to every contact in the victim’s phone book, effectively turning each infected device into a distribution hub,” Zimperium said. It’s why the malware appears to be “expanding at an alarming rate,” with Zimperium observing more than 600 samples of the malware in the last three months alone.
For now, ClayRat has primarily targeted users in Russia. Hackers are using the messaging app Telegram and fake websites that impersonate brands to trick users into installing the malware, which will masquerade as popular apps, including TikTok, YouTube, and Google Photos. For example, Zimperium found the malware spreading through a fake, but official-looking “YouTube Plus” site.
“To increase installation success, the malware is often accompanied by simple step-by-step instructions that encourage users to bypass Android’s built-in security warnings,” Zimperium adds. “The operators further amplify their reach by seeding these Telegram channels with manufactured social proof: staged positive comments, inflated download counts, and fake ‘user testimonials’ designed to reduce suspicion.”
(Credit: Zimperium)
By default, Android can warn and block the installation of apps downloaded from outside the Google Play Store. To beat this restriction, the malware can display “a fake Google Play update screen,” which can trick a user into authorizing the unknown app install.
If a user is tricked into installing ClayRat, it’ll then request SMS privileges, allowing the malware to hijack and send messages to all the phone’s contacts. This includes circulating an SMS message with the Russian words “Узнай первым!” or “Be the first to know!” along with a malicious link intended to further trick users into installing malware.
Recommended by Our Editors
“Because these messages appear to come from a trusted source, recipients are far more likely to click the link, join the same Telegram channel, or visit the same phishing site,” Zimperium says. “Each infected device therefore becomes a distribution node, fueling exponential spread without the need for new infrastructure.”
Zimperium named the malware ClayRat because its creator presents the name if you try to log into the malware’s command-and-control server. It has shared its findings with Google, a “collaboration [that] ensures that Android users are also automatically safeguarded against known versions of ClayRat through Google Play Protect,” the built-in malware prevention service on Android phones, it said.
Get Our Best Stories!
Stay Safe With the Latest Security News and Updates
By clicking Sign Me Up, you confirm you are 16+ and agree to our Terms of Use and Privacy Policy.
Thanks for signing up!
Your subscription has been confirmed. Keep an eye on your inbox!
About Our Expert
Michael Kan
Senior Reporter
Experience
I’ve been a journalist for over 15 years. I got my start as a schools and cities reporter in Kansas City and joined PCMag in 2017, where I cover satellite internet services, cybersecurity, PC hardware, and more. I’m currently based in San Francisco, but previously spent over five years in China, covering the country’s technology sector.
Since 2020, I’ve covered the launch and explosive growth of SpaceX’s Starlink satellite internet service, writing 600+ stories on availability and feature launches, but also the regulatory battles over the expansion of satellite constellations, fights with rival providers like AST SpaceMobile and Amazon, and the effort to expand into satellite-based mobile service. I’ve combed through FCC filings for the latest news and driven to remote corners of California to test Starlink’s cellular service.
I also cover cyber threats, from ransomware gangs to the emergence of AI-based malware. Earlier this year, the FTC forced Avast to pay consumers $16.5 million for secretly harvesting and selling their personal information to third-party clients, as revealed in my joint investigation with Motherboard.
I also cover the PC graphics card market. Pandemic-era shortages led me to camp out in front of a Best Buy to get an RTX 3000. I’m now following how President Trump’s tariffs will affect the industry. I’m always eager to learn more, so please jump in the comments with feedback and send me tips.
Read Full Bio
