A new iteration of the ClayRat Android spyware featuring expanded surveillance and device-control functions has been identified by cybersecurity researchers.
First seen in October, ClayRat was originally capable of stealing SMS messages, call logs and photos, as well as sending mass texts.
The latest version introduces far broader capabilities by combining Default SMS privileges with extensive abuse of Accessibility Services.
Improved Automation and Keylogging Capabilities
According to a new advisory from Zimperium, the spyware now performs a wide range of automated actions that enable near-total control of an infected device.
Key functions include a keylogger that captures PINs, passwords and patterns.
The update also includes full screen recording through the MediaProjection API, overlays that disguise malicious activity and automated taps designed to block users from shutting down the device or deleting the app. These enhancements make the malware more persistent than earlier versions.
Read more on Android malware trends: New Android Albiriox Malware Gains Traction in Dark Web Markets
The team reported that the spyware also mimics well-known services, including global video platforms and regional taxi or parking apps.
More than 700 unique APKs have been found, distributed through phishing sites and platforms like Dropbox.
Researchers have observed over 25 active phishing domains, including sites impersonating YouTube and a car diagnostics tool.
How ClayRat Operates
Once installed, ClayRat prompts users to grant SMS control and then guides them to enable Accessibility Services.
After permissions are granted, it automatically disables the Play Store to bypass Google Play Protect. In addition, its credential-theft process monitors lock-screen activity to reconstruct PIN, password or pattern entries, which are then stored and used to unlock the device through automated gestures.
The spyware also collects replies to fake notifications and harvests active alerts.
To maintain user deception and steal sensitive information, ClayRat deploys several overlays, such as black screens or fake system-update prompts.
Zimperium warned that the campaign poses a serious risk to enterprises because it targets notifications, SMS flows, authentication prompts and screen content.
“In BYOD environments, common across modern workforces, a single infected device can become a conduit for data theft, fraud, and unauthorized access to corporate systems,” the company warned.
“As ClayRat continues to evolve, expanding its spyware, remote-control and lock-screen manipulation capabilities, organizations require mobile security that operates at the device level and cannot be bypassed.”