Popular apps spoofed to deploy novel ClayRat Android spyware

Multiple phishing sites masquerading as TikTok, YouTube, WhatsApp, and Google Photos, as well as Telegram channels, have facilitated the deployment of the new ClayRat spyware against Android users across Russia, according to The Hacker News.

Attackers have used both methods to lure users into downloading APK files that inject the malware, which seeks default SMS app permissions to enable clandestine call log, notification, and text message gathering, a report from Zimperium showed.

ClayRat not only permitted phone calls and device data collection, but also photo capturing and app list delivery to the attacker-controlled command-and-control server.

"To bypass platform restrictions and the added friction introduced in newer Android versions, some ClayRat samples act as droppers: the visible app is merely a lightweight installer that displays a fake Play Store update screen, while the actual encrypted payload is hidden within the app's assets," said Zimperium researcher Vishnu Pratapagiri.

Google has assured Android users of the defenses provided by Google Play Protect.