A new one is making waves spyware for Android, called ClayRatwhich is distributed via Telegram channels and fake sites, masquerading as popular services such as TikTok, YouTube, WhatsApp or Google Photos.
Although it is mainly targeting Russian users, it is a very dangerous spyware because it is capable of spreading at a rapid pace and, once in action, it is able to have control over SMS (including sending), call logs, notifications, device information, camera; it can even make calls from the victim’s device. Let’s find out all the details.
How ClayRat is distributed
As anticipated at the beginning, ClayRat it is distributed via Telegram channels and counterfeit sites, designed specifically to deceive less attentive users with web pages that recall those of very famous and used services.
These sites act as bait, redirecting visitors to Telegram channels where the “malicious” APK package can be downloaded or there is a link to download it. To ensure that users are well arranged To install its APK package, the malware is often accompanied by simple yet detailed instructions explaining how get around security alerts built into Android.
To make the situation even more attractive, the attackers pepper the Telegram channels they deal malware with fake positive reviews, ad hoc inflated download numbers and false user “testimonials”. With this approach, attackers ensure a sort of “affiliate”-style threat propagation, making it more difficult to interrupt the spyware campaign.
In addition to the bait sites, there are also sites (always fake) that recall those of services known to host counterfeit APKs that are passed off as legitimate updates or add-ons for the reference app or service.
Also in this case, detailed instructions are provided for sideloading the counterfeit APK and, obviously, the main tactic adopted by the bad guys is to explain how to install applications from unknown sources.
There are even some variations of ClayRat which leverage an even greater level of complexity, with a first app (via APK) simply acting as a hub for (automatic) sorting of actual threats that are encrypted and stored in the app’s resources. In this case, an app was even found that emulates an update available through the Google Play Store.
The last aspect to consider from the perspective of the spread of spyware is its ability to “self-fuel” the spread: when it comes into action, it is able to automatically compose and send SMS to all the contacts in the address book; recipients will be more inclined to open a link if received from one of their contacts. Each infected device, therefore, in turn becomes a new node in the distribution; spyware can thus spread exponentially.
The potential of this Spyware
So far we have seen how it is spread ClayRat but now it’s time to understand what spyware does when it goes into action. As you may have understood from the previous paragraph, One of spyware’s most effective tactics is hijacking Android’s default SMS manager role.
When an app is given this role, one of the most “sensitive” among those available on Android, it obtains total access to the content of the SMS and the messaging functions. As a result, falling into the hands of spyware, it allows it to read, store and send/forward text messages on a large scale.
With a single step, therefore, ClayRat is capable of read all incoming (and stored) messages on your deviceOf send new text messagesOf intercept any communications before they can reach other appsand even of access the various SMS databases and modify them.
In addition, once the appropriate authorizations have been received, the spyware it takes photos of the unsuspecting user (using the front camera) and uploads them to its command and control server (hence the name of the spyware, as you can see in the previous image). Here are all the commands the server can send:
- get_apps_list — sends the list of installed apps to the server
- get_calls — send call logs
- get_camera — take a photo with the front camera and send it to the server
- get_sms_list — exfiltrates SMS messages
- messsms — send mass SMS to all contacts
- send_sms / make_call — send SMS or make calls from the device
- notifications/ get_push_notifications — capture push notifications and data
- get_device_info — collects device information
- get_proxy_data — retrieves a proxy WebSocket URL, adds the device ID, and initializes a connection object (converts HTTP/HTTPS to WebSocket and schedules tasks)
- retransmishion — resends an SMS to a number received from the server
Zimperium, the US company that operates in mobile security that is monitoring ClayRatit is part of theDefense Alliance App and has already shared the complete IoCs with Google; in this way, Play Protect is able to block new (and future) variants of spyware.
