Zimperium's ClayRat Spyware: New Android Threats

5 Dec 2025

Zimperium's zLabs team has uncovered a new, enhanced version of the ClayRat spyware on Android devices. Building upon research initially presented in October 2025, this sophisticated iteration poses a significant threat by advancing its capabilities and stealth compared to its predecessor.

Initially, ClayRat was identified for its ability to clandestinely gather SMS messages, call logs, and other personal data, turning compromised devices into potential hubs for distribution.

Enhanced Functionalities Increase Threat Level

The latest variant marks a considerable escalation, utilizing Default SMS privileges and Accessibility Services to compromise device security further. This version can now capture lock-screen credentials and activate the device without user input. By using the MediaProjection API, it records screens and uses deceptive overlays to prevent detection. Additionally, it can simulate taps, making it harder for users to shut down or remove the application. The spyware also generates false notifications to intercept and exfiltrate responses.

This expanded range of abilities allows for complete control over infected devices, elevating the risk posed to corporate data and private information. The capacity to capture sensitive data like corporate credentials and MFA codes through hijacked communication channels makes it a serious concern for organizations.

Phishing and Social Engineering Tactics

ClayRat continues to exploit phishing tactics, disguising itself as well-known apps, including popular video

ClayRat continues to exploit phishing tactics, disguising itself as well-known apps, including popular video and messaging platforms. It also targets region-specific services such as certain Russian taxi and parking applications.

The distribution heavily relies on phishing webpages and sideloaded APKs, with platforms like Dropbox frequently used as vectors. Zimperium’s telemetry indicates over 700 unique APKs related to ClayRat have emerged in a short period.

Implications for BYOD Policies

According to Vishnu Pratapagiri, lead researcher at zLabs, “ClayRat’s evolution shows exactly why enterprises need protection that works at the device level, not just network-based.” With its ability to exploit Android functions and conceal malicious operations, ClayRat turns Android devices into compromised endpoints, rendering traditional defenses ineffective.

The increasing sophistication of ClayRat underscores the vulnerability of mobile devices, particularly in "Bring Your Own Device" (BYOD) environments. Enterprises are urged to remain vigilant and consider ClayRat's advancing capabilities as a stark warning. Zimperium is continually monitoring these developments and sharing threat information with industry partners.

Show full press release

Building on earlier research published in October 2025, Zimperium announced that its zLabs team has uncovered a significantly enhanced variant of ClayRat, an Android spyware family first detailed in the technical brief “ClayRat: A New Android Spyware Targeting Russia”.

While the original ClayRat strain was able to exfiltrate SMS messages, call logs, notifications, device data, take photos, and send mass SMS or place calls, effectively allowing infected devices to become distribution hubs. The newly observed variant demonstrates a substantial escalation in functionality and stealth. The updated strain abuses both Default SMS privileges and Accessibility Services, enabling it to:

Capture lock-screen credentials (PIN, password, or pattern) and automatically unlock the device.
Record the screen via the MediaProjection API.
Present deceptive overlays (for example, fake system-update prompts) to prevent user detection.
Programmatically initiate taps — blocking the user from powering down or uninstalling the malicious app.
Generate fake or interactive notifications, then intercept and exfiltrate responses.

This expanded functionality enables full device takeover, making ClayRat far more dangerous than the version first reported, especially since victims may no longer detect or easily remove the malware. The updated behavior also increases the risk to corporate endpoints: compromised devices could leak corporate credentials, MFA codes, or sensitive enterprise data through hijacked SMS, notification flows, or screen captures.

Reliant on phishing webpages

The malware continues to leverage social engineering at scale. As before, ClayRat masquerades as legitimate, widely used applications and services, including major video and messaging platforms, as well as localised or regional services (for example, certain Russian taxi or parking apps).

Distribution remains heavily reliant on phishing webpages and sideloaded APKs, including via cloud-storage platforms such as Dropbox. According to zLabs telemetry, more than 700 unique APKs tied to ClayRat have already been identified in a short time window.

BYOD environments

“ClayRat’s evolution shows exactly why enterprises need protection that works at the device level, not just network-based,” said Vishnu Pratapagiri, lead researcher at zLabs. “By abusing Accessibility Services and overlay tricks, this variant turns Android devices into fully compromised endpoints and conventional defenses may not be enough.”

As ClayRat continues to evolve, expanding its spyware, remote-control, and lock-screen manipulation capabilities, enterprises should treat this campaign as a critical reminder: mobile devices, especially in BYOD environments, remain among the most vulnerable entry points for attackers. Zimperium continues to monitor ClayRat and share relevant indicators of compromise with industry partners.

Download PDF version Download PDF version

Add as a preferred source on Google