In the past 90 days, Zimperium has detected no less than 600 malware samples and 50 "decoy" applications, showing that attackers are constantly improving and adding new layers of camouflage to evade security software (Illustration: THN).
Hackers use a familiar but extremely effective trick: Creating fake versions of the most popular apps like WhatsApp, TikTok, Google Photos and YouTube to trick users into installing them.
The campaign uses a combination of Telegram channels and phishing websites to spread the malware.
According to a report from cybersecurity firm Zimperium, ClayRat's attack chain was very well-orchestrated.
First, users are lured to fake websites that promise to offer “Plus” versions of the app with premium features such as YouTube Plus.
From these sites, victims are directed to attacker-controlled Telegram channels, where they use tricks such as artificially inflating download counts and pushing fake testimonials to make the app appear trustworthy.
The victim is then tricked into downloading and installing an APK file containing the ClayRat malware.
"Once successfully infiltrated, this spyware can steal SMS messages, call logs, notifications and device information; secretly take photos with the front camera and even automatically send messages or make calls from the victim's own device," said cybersecurity expert Vishnu Pratapagiri of Zimperium Company.
The scariest part of ClayRat is not just the data theft. Designed to replicate itself, the malware will automatically send malicious links to everyone in the victim's contact list, turning the infected phone into a virus spreading node, allowing attackers to scale without manual intervention.
Over the past 90 days, Zimperium has detected no fewer than 600 malware samples and 50 "decoy" apps, showing that attackers are constantly improving, adding new layers of camouflage to evade security software.
Overcoming barriers
For devices running Android 13 and above with tightened security measures, ClayRat uses a more sophisticated trick. The fake app initially appears as just a lightweight installer.
When launched, it displays a fake Play Store update screen, while silently downloading and installing the main encrypted malware hidden inside.
Once installed, ClayRat will ask the user to grant permission to become the default SMS app so that it can fully access and control messages and call logs.
The emergence of ClayRat is part of a more worrying trend in security across the Android ecosystem.
Recently, a study from the University of Luxembourg also showed that many cheap Android smartphones sold in Africa have pre-installed applications that operate with high privileges, silently sending users' identification and location data to third parties.
Google said Android users will be automatically protected from known versions of this malware through Google Play Protect, a feature that is enabled by default on devices with Google Play Services.
However, the threat from new variants and unofficial installation sources remains a warning to all users.
Source: https://dantri.com.vn/cong-nghe/canh-bao-chien-dich-bien-dien-thoai-android-thanh-cong-cu-gian-diep-20251013135854141.htm
![[Photo] Solemn opening of the 1st Government Party Congress](https://vphoto.vietnam.vn/thumb/1200x675/vietnam/resource/IMAGE/2025/10/13/1760337945186_ndo_br_img-0787-jpg.webp)
![[Photo] General Secretary To Lam attends the opening of the 1st Government Party Congress](https://vphoto.vietnam.vn/thumb/1200x675/vietnam/resource/IMAGE/2025/10/13/1760321055249_ndo_br_cover-9284-jpg.webp)
Comment (0)