Latest ClayRat Spyware Attacked Android Users Via Fake WhatsApp and TikTok Apps

“New ClayRat spyware known as ClayRat is attacking Android users through fake WhatsApp and TikTok apps.”

ClayRat, a rapidly developing Android spyware operation, has used a combination of lookalike phishing websites and Telegram channels to target consumers in Russia by pretending to be well-known apps like YouTube, WhatsApp, Google Photos, and TikTok in order to trick them into installing them.

Vishnu Pratapagiri, Researcher, Zimperium

Additionally, the virus is made to spread by sending malicious URLs to all of the contacts in the victim’s phone book. This suggests that the attackers are using aggressive techniques to use infected devices as a distribution channel.

With each iteration adding new layers of obfuscation to evade detection efforts and keep ahead of security defenses, the mobile security company claimed to have spotted at least 600 samples and 50 droppers in the last ninety days. The command-and-control (C2) panel that can be used to remotely manage the compromised machines is referenced in the malware’s name.

Unaware users are redirected to Telegram channels controlled by the adversary from these fraudulent websites, where they are fooled into downloading APK files by distributing fabricated testimonials and inflating download numbers as evidence of their popularity.

In some instances, it has been discovered that fraudulent websites purporting to provide “YouTube Plus” with premium features really contain APK files that get beyond Google’s security measures, which stop programs from sideloading on Android 13 and later devices.

Zimperium

After installation, ClayRat connects to its C2 infrastructure via standard HTTP and asks users to set it as their default SMS app in order to access private information and messaging features. This enables ClayRat to secretly record call logs, text messages, and notifications and spread the malware to all other contacts.

The malware may also make phone calls, obtain device information, take images using the device’s camera, and send a list of all loaded apps to the C2 server, among other things.

In addition to its monitoring capabilities, ClayRat poses a serious threat since it can automatically transform an infected device into a distribution node, allowing threat actors to quickly broaden their reach without the need for human participation.

Researchers from the University of Luxembourg and Université Cheikh Anta Diop discovered that pre-installed apps on low-cost Android smartphones sold in Africa have higher privileges. One vendor-provided package sends device identifiers and location information to a third party.

“145 applications (9%) disclose sensitive data, 249 (16%) expose critical components without sufficient safeguards, and many present additional risks: 226 execute privileged or dangerous commands, 79 interact with SMS messages (read, send, or delete), and 33 perform silent installation operations,” according to the study, which looked at 1,544 APKs gathered from seven African smartphones.

About The Author

Suraj Koli is a content specialist in technical writing about cybersecurity & information security. He has written many amazing articles related to cybersecurity concepts, with the latest trends in cyber awareness and ethical hacking. Find out more about “Him.”

Read More:

Operation Chakra-V: CBI Raids 6 States in a “Digital Arrest” Scam Case

About Author

daksh kataria

See author's posts