"A rapidly evolving Android spyware campaign called ClayRat has targeted users in Russia using a mix of Telegram channels and lookalike phishing websites by impersonating popular apps like WhatsApp, Google Photos, TikTok, and YouTube as lures to install them. "Once active, the spyware can exfiltrate SMS messages, call logs, notifications, and device information; taking photos with the front camera; and even send SMS messages or place calls directly from the victim's device," Zimperium researcher Vishnu Pratapagiri said in a report shared with The Hacker News."
"The mobile security company said it has detected no less than 600 samples and 50 droppers over the last 90 days, with each successive iteration incorporating new layers of obfuscation to sidestep detection efforts and stay ahead of security defenses. The malware name is a reference to the command-and-control (C2) panel that can be used to remotely administer the infected devices."
"The attack chain involves redirecting unsuspecting visitors to these bogus sites to Telegram channels under the adversary's control, from where they are tricked into downloading APK files by artificially inflating download counts and sharing manufactured testimonials as proof of their popularity. In other cases, bogus websites claiming to offer "YouTube Plus" with premium features have been found to host APK files that can bypass security protections enforced by Google to prevent sideloading of apps on devices running Android 13 and later."
ClayRat is an Android spyware campaign targeting users in Russia by luring victims with impersonations of popular apps (WhatsApp, Google Photos, TikTok, YouTube) on Telegram channels and lookalike phishing sites. Once installed, the spyware can exfiltrate SMS, call logs, notifications, and device information; take photos with the front camera; and send SMS or place calls from the infected device. The malware propagates by sending malicious links to every contact in the victim's phone book. Over a 90-day period, analysts observed at least 600 samples and 50 droppers, with successive builds adding obfuscation to avoid detection. Some samples act as droppers that display fake Play Store update screens to bypass Android 13+ sideloading protections.
Read at The Hacker News
Unable to calculate read time
Collection
[
|
...
]