CyberHappenings logo
Home Browse About

Track cybersecurity events as they unfold. Sourced timelines. Filter, sort, and browse. Fast, privacy‑respecting. No invasive ads, no tracking.

ClayRat Spyware Campaign Targets Android Users in Russia

First reported
Last updated
3 unique sources, 5 articles

Summary

Hide ▲

A rapidly evolving Android spyware campaign known as ClayRat continues to target Russian users through Telegram channels and phishing websites. The spyware disguises itself as trusted apps such as WhatsApp, TikTok, Google Photos, and YouTube to trick users into downloading malicious software. Over the past three months, researchers identified more than 700 distinct ClayRat samples and 50 droppers, each version introducing new obfuscation layers to evade security tools. Once installed, the spyware can exfiltrate call logs, SMS messages, and notifications, take photos using the front camera, and send messages or place calls directly from the victim’s phone. The spyware’s operators employ a multifaceted strategy combining impersonation, deception, and automation. Distribution occurs mainly through phishing sites, Telegram channels, step-by-step installation guides, and session-based installers posing as Play Store updates. ClayRat’s most concerning feature is its abuse of Android's default SMS handler role, allowing it to read, store, and send text messages without alerting users. This access is exploited to spread itself further, sending messages to every saved contact. The latest version of ClayRat introduces far broader capabilities by combining Default SMS privileges with extensive abuse of Accessibility Services. Key functions include a keylogger that captures PINs, passwords, and patterns, full screen recording through the MediaProjection API, overlays that disguise malicious activity, and automated taps designed to block users from shutting down the device or deleting the app. These enhancements make the malware more persistent than earlier versions. A new Android remote access trojan (RAT) called Fantasy Hub has been disclosed, sold as a Malware-as-a-Service (MaaS) product on Russian-speaking Telegram channels. Fantasy Hub enables device control and espionage, allowing threat actors to collect SMS messages, contacts, call logs, images, and videos. The malware abuses the default SMS privileges to obtain access to SMS messages, contacts, camera, and files, and uses fake overlays to obtain banking credentials associated with Russian financial institutions. Fantasy Hub is available for $200 per week, $500 per month, or $4,500 per year, and its C2 panel provides details about compromised devices and subscription status. Zimperium's systems detected ClayRat variants as soon as they appeared, before public disclosures. The company shared its findings with Google, helping ensure protection through Google Play Protect. Security experts recommend a layered mobile security posture to reduce installation paths, detect compromise, and limit the blast radius. Users should only install applications from authorized Play/App stores.

Timeline

  1. 08.12.2025 18:45 1 articles · 23h ago

    ClayRat Expands Capabilities with Keylogging and Screen Recording

    The latest iteration of ClayRat includes a keylogger that captures PINs, passwords, and patterns. It uses the MediaProjection API for full screen recording, employs overlays to disguise malicious activity, and uses automated taps to block users from shutting down the device or deleting the app. ClayRat mimics well-known services and has been distributed through more than 700 unique APKs found on phishing sites and platforms like Dropbox. Over 25 active phishing domains have been observed, including sites impersonating YouTube and a car diagnostics tool. ClayRat prompts users to grant SMS control and then guides them to enable Accessibility Services, automatically disabling the Play Store to bypass Google Play Protect. The spyware monitors lock-screen activity to reconstruct PIN, password, or pattern entries and collects replies to fake notifications and harvests active alerts.

    Show sources
    Open in new tab
  2. 11.11.2025 13:44 1 articles · 28d ago

    Fantasy Hub MaaS Product Sold on Telegram Channels

    Fantasy Hub is a new Android RAT sold as a MaaS product on Russian-speaking Telegram channels. It enables device control and espionage, allowing threat actors to collect SMS messages, contacts, call logs, images, and videos. The malware abuses the default SMS privileges to obtain access to SMS messages, contacts, camera, and files, and uses fake overlays to obtain banking credentials associated with Russian financial institutions. Fantasy Hub is available for $200 per week, $500 per month, or $4,500 per year, and its C2 panel provides details about compromised devices and subscription status.

    Show sources
    Open in new tab
  3. 09.10.2025 15:30 5 articles · 2mo ago

    ClayRat Spyware Campaign Targets Android Users in Russia

    ClayRat uses AES-GCM encryption for its C2 communications in its latest versions. ClayRat can capture notifications and push data from infected devices. ClayRat can fetch a proxy WebSocket URL, append device ID, and initialize a connection object. ClayRat can resend an SMS to a number received from the C2 server. ClayRat uses a session-based installation method to bypass Android 13+ restrictions and reduce user suspicion. Fantasy Hub, a new Android RAT, is sold as a MaaS product on Russian-speaking Telegram channels, enabling device control and espionage, and abusing the default SMS privileges to obtain access to SMS messages, contacts, camera, and files. The latest version of ClayRat introduces far broader capabilities by combining Default SMS privileges with extensive abuse of Accessibility Services. Key functions include a keylogger that captures PINs, passwords, and patterns, full screen recording through the MediaProjection API, overlays that disguise malicious activity, and automated taps designed to block users from shutting down the device or deleting the app. These enhancements make the malware more persistent than earlier versions.

    Show sources
    Open in new tab

Information Snippets

Similar Happenings

New Android Malware Families FvncBot, SeedSnatcher, and Enhanced ClayRat Target Financial and Cryptocurrency Data

Researchers have identified three new or enhanced Android malware families: FvncBot, SeedSnatcher, and an upgraded version of ClayRat. FvncBot targets Polish mobile banking users with keylogging, web-inject attacks, and hidden virtual network computing (HVNC) capabilities. SeedSnatcher steals cryptocurrency wallet seed phrases and intercepts SMS messages for 2FA codes. The updated ClayRat now abuses accessibility services for full device takeover, including screen recording and notification harvesting. These malware families use advanced techniques to evade detection and escalate privileges.

Open in new tab

Predator Spyware Exploits Zero-Click Infection Vector via Malicious Ads

Predator spyware, developed by Intellexa, has been using a zero-click infection mechanism called Aladdin, which infects targets by displaying malicious advertisements. This vector is hidden behind shell companies across multiple countries and leverages the commercial mobile advertising system to deliver malware. The spyware is still operational and actively developed, with additional delivery vectors like Triton targeting Samsung Exynos devices. The infection occurs when a target views a malicious ad, which triggers a redirection to Intellexa’s exploit delivery servers. The ads are served through a complex network of advertising firms, making defense measures challenging. Despite sanctions and investigations, including fines from the Greek Data Protection Authority, Intellexa remains active and prolific in zero-day exploitation. Recent leaks reveal that Intellexa's Predator spyware has been marketed under various names, including Helios, Nova, Green Arrow, and Red Arrow. The spyware exploits multiple zero-day vulnerabilities in Android and iOS devices, and uses frameworks like JSKit for native code execution. Intellexa also has the capability to remotely access the surveillance systems of its customers using TeamViewer. The spyware collects extensive data from targeted devices, including messaging apps, calls, emails, device locations, screenshots, passwords, and other on-device information.

Open in new tab

Albiriox MaaS Malware Targets 400+ Apps for On-Device Fraud

A new Android malware named Albiriox, operating under a malware-as-a-service (MaaS) model, targets over 400 applications for on-device fraud (ODF), screen manipulation, and real-time device interaction. The malware uses dropper applications distributed through social engineering lures and packing techniques to evade detection. It leverages a custom builder and a third-party crypting service to bypass antivirus and mobile security solutions. The primary goal is to seize control of mobile devices and conduct fraudulent actions while remaining undetected. The malware has been advertised on cybercrime forums, with evidence suggesting Russian-speaking threat actors. Initial campaigns have targeted Austrian victims using German-language lures and fake Google Play Store app listings. The malware's subscription access launched at $650 per month before rising to $720 after October 21.

Open in new tab

Sturnus Android Malware Targets Encrypted Messaging Apps and Banking Credentials

Sturnus, a new Android banking trojan, steals messages from encrypted apps like Signal, WhatsApp, and Telegram by capturing screen content post-decryption. It performs full device takeover via VNC and overlays to steal banking credentials. The malware is under development but fully functional, targeting European financial institutions with region-specific overlays. It uses a mix of encryption methods for C2 communication and abuses Accessibility services for extensive control. The malware is disguised as legitimate apps like Google Chrome or Preemix Box, but distribution methods remain unknown. It establishes encrypted channels for commands and data exfiltration, and gains Device Administrator privileges to prevent removal. ThreatFabric reports low-volume attacks in Southern and Central Europe, suggesting testing for larger campaigns. New details reveal Sturnus uses WebSocket and HTTP channels for communication, displays full-screen overlays mimicking OS updates, and collects extensive device data for continuous feedback.

Open in new tab

Malicious Android apps on Google Play downloaded 42 million times

Between June 2024 and May 2025, 239 malicious Android apps on Google Play were downloaded over 42 million times. These apps primarily targeted mobile payments and financial information using various social engineering techniques. The manufacturing and energy sectors saw significant increases in mobile attacks, with the energy sector recording a 387% annual increase. The geographic impact highlighted substantial increases in attacks targeting India, the United States, and Canada, with notable spikes in Italy and Israel. IoT devices, particularly routers, were also heavily targeted, with Mirai and Gafgyt malware variants accounting for 75% of all blocked IoT requests. The shift to social engineering attacks reflects improved security standards in traditional payment methods. Zscaler observed a 67% year-over-year growth in mobile malware, with banking malware reaching 4.89 million transactions in 2025. Three notable malware families—Anatsa, Android Void, and Xnotice—were highlighted for their impact on Android users.

Open in new tab