Zimperium - Experts & Thought Leaders

Building on earlier research published in October 2025, Zimperium announced that its zLabs team has uncovered a significantly enhanced variant of ClayRat, an Android spyware family first detailed in the technical brief “ClayRat: A New Android Spyware Targeting Russia”. While the original ClayRat strain was able to exfiltrate SMS messages, call logs, notifications, device data, take photos, and send mass SMS or place calls, effectively allowing infected devices to become distribution hubs. The newly observed variant demonstrates a substantial escalation in functionality and stealth. The updated strain abuses both Default SMS privileges and Accessibility Services, enabling it to: Capture lock-screen credentials (PIN, password, or pattern) and automatically unlock the device. Record the screen via the MediaProjection API. Present deceptive overlays (for example, fake system-update prompts) to prevent user detection. Programmatically initiate taps — blocking the user from powering down or uninstalling the malicious app. Generate fake or interactive notifications, then intercept and exfiltrate responses. This expanded functionality enables full device takeover, making ClayRat far more dangerous than the version first reported,  especially since victims may no longer detect or easily remove the malware. The updated behavior also increases the risk to corporate endpoints: compromised devices could leak corporate credentials, MFA codes, or sensitive enterprise data through hijacked SMS, notification flows, or screen captures. Reliant on phishing webpages  The malware continues to leverage social engineering at scale. As before, ClayRat masquerades as legitimate, widely used applications and services, including major video and messaging platforms, as well as localised or regional services (for example, certain Russian taxi or parking apps). Distribution remains heavily reliant on phishing webpages and sideloaded APKs, including via cloud-storage platforms such as Dropbox. According to zLabs telemetry, more than 700 unique APKs tied to ClayRat have already been identified in a short time window. BYOD environments “ClayRat’s evolution shows exactly why enterprises need protection that works at the device level, not just network-based,” said Vishnu Pratapagiri, lead researcher at zLabs. “By abusing Accessibility Services and overlay tricks, this variant turns Android devices into fully compromised endpoints and conventional defenses may not be enough.” As ClayRat continues to evolve, expanding its spyware, remote-control, and lock-screen manipulation capabilities, enterprises should treat this campaign as a critical reminder: mobile devices, especially in BYOD environments, remain among the most vulnerable entry points for attackers. Zimperium continues to monitor ClayRat and share relevant indicators of compromise with industry partners.

Zimperium, the world's pioneer in mobile security, now announced that Alistaire Davidson has joined the company as Chief Financial Officer, reporting directly to CEO Shridhar Mittal. Alistaire brings more than 20 years of finance leadership experience across private equity–backed and public software companies. Alistaire most recently served as Regional CFO, Americas at The Access Group, where he led the post-acquisition integration of two strategic business units. Prior to The Access Group, he held progressive finance leadership roles at AVEVA, supporting the company’s SaaS transition across the Americas and driving a global services transformation that delivered significant margin improvements. Zimperium’s continued expansion “Alistaire’s deep financial expertise and proven ability to scale global software organizations make him a strong addition to our leadership team,” said Shridhar Mittal, CEO of Zimperium. “As demand for mobile security continues to accelerate worldwide, his leadership will be instrumental in guiding Zimperium through our next phase of growth.” As CFO, Alistaire will oversee financial strategy, planning, operations, and performance management to support Zimperium’s continued expansion across global markets.

Zimperium, the global pioneer in mobile security, revealed findings from its zLabs team showing that thousands of popular Android applications — including top travel, airline, and weather apps — are still using an outdated mapping component that could put users and enterprises at risk. The investigation, titled “Follow the Map to Enterprise Risk: What’s Inside Popular Android Apps,” found that a legacy library known as libmapbox-gl.so, once part of Mapbox GL Native, remains embedded in thousands of active apps despite being deprecated in 2023. The outdated library includes older code versions containing known security flaws — issues that could be exploited to compromise devices, steal data, or disrupt app functionality. Strengthening app ecosystem security Zimperium continues to work closely with Google through the App Defense Alliance (ADA) to strengthen app ecosystem security. While there is currently no evidence of active exploitation, developers using the archived Mapbox GL Native SDK are strongly encouraged to migrate to Mapbox Maps SDK v10+ or MapLibre to maintain app security and integrity. “These vulnerabilities transform everyday apps into potential attack vectors,” said Nico Chiaraviglio, Chief Scientist at Zimperium, adding “When trusted applications ship with outdated components, it creates blind spots that can expose both users and enterprises. Our mission is to help organizations gain visibility into these hidden risks — so they can protect the mobile apps and devices that power their business.” Zimperium’s analysis revealed: Thousands of Android apps still contain the vulnerable library. 40% of affected apps rank among the top 20 in their Play Store categories. Many are installed on employee devices, posing serious BYOD and enterprise exposure.