Executive Summary
In October 2025, cybersecurity researchers at Zimperium disclosed a widespread Android spyware campaign dubbed ClayRat, which targeted Russian users through phishing portals, Telegram channels, and malicious websites mimicking popular apps such as WhatsApp, TikTok, YouTube, and Google Photos. Using fraudulent Play Store-like websites and social engineering tactics, attackers tricked users into sideloading APKs that installed malicious payloads via a session-based installation method, bypassing Android security. Once installed, ClayRat acts as the device's default SMS handler, enabling interception of messages, call logs, notifications, and exfiltration of sensitive data to an AES-GCM-encrypted command and control (C2) server. It also uses infected devices to propagate itself by sending mass SMS messages to victims' contacts.
This incident underscores an accelerating trend in mobile spyware leveraging legitimate app impersonation and sophisticated delivery mechanisms. The high volume of ClayRat samples and droppers, the abuse of sideloading, and the global reach of Telegram-based distribution channels highlight persistent gaps in mobile endpoint and social engineering defenses.
Why This Matters Now
Mobile endpoints remain a critical vector for targeted cyber attacks, with advanced spyware like ClayRat exploiting both technical and human vulnerabilities. The use of fake app store portals, encrypted communication, and SMS-based propagation makes detection challenging and amplifies risk for individual and enterprise users. Rapid evolution and high campaign volume signal an urgent need for enhanced mobile security and robust user awareness.
Attack Path Analysis
The attack began when users were tricked into sideloading a malicious Android app disguised as popular services via phishing websites and Telegram channels. Upon installation, the spyware abused permissions to become the default SMS handler and gain extended device access. Using its position, it harvested sensitive data and could propagate itself by sending malicious SMS messages to contacts. The infected device established encrypted command and control communications with attacker infrastructure, receiving commands and exfiltrating harvested data. Data such as SMS, call logs, notifications, and device info were sent out to the C2 server over encrypted channels. The impact included large-scale surveillance, data theft, and the risk of further victim propagation via SMS and phone features.
Kill Chain Progression
Initial Compromise
Description
Victims were enticed to sideload malicious APKs impersonating legitimate apps, often through phishing portals or Telegram channels.
Related CVEs
CVE-2025-48561
CVSS 7.5An exploit known as 'Pixnapping' allows unauthorized screen reading on certain Android devices, leading to potential data theft.
Affected Products:
Google Pixel – 6, 7, 8, 9
Samsung Galaxy S – 25
Exploit Status:
exploited in the wild
MITRE ATT&CK® Techniques
Drive-by Compromise
Download New Code at Runtime
Deliver Malicious App via Authorized App Store
Access Sensitive Data in Device Logs
Capture SMS Messages
Location Tracking
Hijack Execution Flow
Broadcast Intent Abuse
Potential Compliance Exposure
Mapping incident impact across multiple compliance frameworks.
PCI DSS 4.0 – Strong Access Controls for Cardholder Data
Control ID: 8.3.1
NYDFS 23 NYCRR 500 – Cybersecurity Program
Control ID: 500.02
DORA (Digital Operational Resilience Act) – ICT Risk Management – Protection against Malicious Activity
Control ID: Article 5(2)(c)
CISA Zero Trust Maturity Model 2.0 – Continuous Monitoring and Authentication
Control ID: Identity - Continuous Authentication
NIS2 Directive – Supply Chain Security and Secure Acquisition of ICT Products
Control ID: Article 21(2)(d)
Sector Implications
Industry-specific impact of the vulnerabilities, including operational, regulatory, and cloud security risks.
Telecommunications
ClayRat mobile spyware targeting SMS handlers and call logs poses critical risks to telecom infrastructure and customer communications security.
Financial Services
Android spyware intercepting SMS authentication and notifications threatens mobile banking security, two-factor authentication, and financial transaction integrity.
Health Care / Life Sciences
Mobile spyware capturing sensitive communications and device data violates HIPAA compliance requirements for protected health information transmission.
Government Administration
Spyware campaign with 600+ samples targeting mobile devices threatens government communications, classified data access, and national security operations.
Sources
- New Android spyware ClayRat imitates WhatsApp, TikTok, YouTubehttps://www.bleepingcomputer.com/news/security/new-android-spyware-clayrat-imitates-whatsapp-tiktok-youtube/Verified
- ClayRat Android Spyware Campaign Exposed | Zimperium - TechNaduhttps://www.technadu.com/clayrat-spyware-campaign-targets-android-users-via-telegram-and-fake-whatsapp-tiktok-youtube-sites/611123/Verified
- ClayRat Android spyware evolves, threatens full device takeover | SC Mediahttps://www.scworld.com/brief/clayrat-android-spyware-evolves-threatens-full-device-takeoverVerified
- ClayRat campaign uses Telegram and phishing sites to distribute Android spywarehttps://securityaffairs.com/183169/malware/clayrat-campaign-uses-telegram-and-phishing-sites-to-distribute-android-spyware.htmlVerified
Frequently Asked Questions
Cloud Native Security Fabric Mitigations and ControlsCNSF
Cloud Network Security Framework controls like Zero Trust Segmentation, Egress Policy Enforcement, Threat Detection, and East-West Security could have limited, detected, or blocked ClayRat’s propagation, C2 activity, and exfiltration attempts across hybrid and multicloud environments. Proactive policy controls and monitored network segmentation would have curtailed the attack’s progression and lateral spread.
Control: Threat Detection & Anomaly Response
Mitigation: Suspicious behaviors or new device/application anomalies are detected early.
Control: Zero Trust Segmentation
Mitigation: Lateral access to sensitive cloud-connected workloads or services is restricted.
Control: East-West Traffic Security
Mitigation: Unusual internal communication patterns are detected and blocked.
Control: Inline IPS (Suricata)
Mitigation: Malicious or suspicious C2 traffic is detected and actively blocked.
Control: Egress Security & Policy Enforcement
Mitigation: Data exfiltration attempts are restricted and alerted on by strict egress controls.
Attack progression and scope are contained via automated, distributed enforcement.
Impact at a Glance
Affected Business Functions
- User Data Security
- Communication Services
Estimated downtime: 7 days
Estimated loss: $500,000
Potential exposure of sensitive user data including SMS messages, call logs, and photos due to unauthorized access by the ClayRat spyware.
Recommended Actions
Key Takeaways & Next Steps
- • Implement Zero Trust segmentation and east-west network security to prevent malware propagation and restrict internal lateral movement.
- • Enforce outbound network controls such as FQDN filtering and application-aware egress policies to block C2 channels and data exfiltration.
- • Deploy real-time threat detection and anomaly response to rapidly discover new malware behaviors and suspicious flows across cloud and hybrid environments.
- • Utilize inline IPS and distributed policy enforcement to block signature-based and behavioral attack traffic before impact.
- • Maintain centralized multicloud visibility and ongoing policy audits to ensure distributed cloud workloads and user devices adhere to least privilege and strong security baselines.
