InfoSecBulletin Cybersecurity for mankind
Zimperium’s zLabs has discovered a fast-spreading Android spyware called ClayRat, which targets users by posing as trusted apps like WhatsApp, Google Photos, TikTok, and YouTube.
Attackers use social engineering to install malware by creating fake websites that resemble official pages. For instance, a fake GdeDPS site was used in one case to deceive visitors. These sites redirect users to Telegram channels like @baikalmoscow, where the malicious app can be downloaded.
CISA: Splunk flaw under active exploit, patch by Sunday
Texas data breach exposes 3 million driver’s licenses
Critical Cisco ISE Vulnerability Enables Remote Code Execution
F5 Patches NGINX Flaw for Code Execution and DoS Attacks
FortiBleed: 70,000 Fortinet Firewalls Compromised Globally
New Rokarolla Android malware hits 217 banking and crypto apps
Phishing Campaign Exploits Legitimate Microsoft Login Flow
ALERT
Cisco SD-WAN Zero-Day, FortiSandbox and cPanel flaws exploited in attacks
“Panthalassa” builds floating AI data centers powered by ocean waves
Critical Wazuh Vuln Enables Alert Tampering and Evidence Deletion
Operators flood channels with fake positive comments and download counts to lower user suspicion before they install the app.
ClayRat, when activated, can steal text messages and call history, take pictures with the front camera, and send texts or make calls without user consent.
zLabs’ research, to be published on Monday, reveals that ClayRat is rapidly expanding. In the past three months, over 600 versions of the spyware and 50 dropper apps that conceal harmful code have been identified.
The large number of unique files and their rapid updates show that the operators frequently change the software to avoid detection by security systems.
Researchers discovered that the malware exploits the default SMS handler on Android devices. This method helps it avoid security warnings and access sensitive data and functions.
The malware sends a harmful text to all contacts in the victim’s phone. The message, often in Russian, says “Узнай первым! <link>” (meaning “Be the first to know! <link>”), making it appear as if it’s from a trusted friend. As recipients click the link, the infection spreads rapidly to other devices, highlighting the malware’s self-propagating nature.
“In many ways, mobile devices have taken us back a decade. In email, we have some protection against compromised users sending phishing lures; however, this doesn’t really exist in SMS. The result is that we artificially trust messages from our contacts, and that may include installing apps from outside Google Play,“ said John Bambenek, President at Bambenek Consulting.
“The key protection for any mobile device user is to only install applications from authorized play/app stores, even if they get a message from an otherwise familiar contact. This type of RAT technology, which allows victim devices to send authentic-looking messages or even make outgoing phone calls, cannot only be used to bypass MFA but to engage in even more sophisticated impersonation attacks,“ he warned.
Zimperium has identified a significant new threat currently affecting Russia, but it may soon target users globally. To safeguard your device against threats like ClayRat, only download apps from the Google Play Store and avoid installing APK files from messages or unfamiliar websites. Always be cautious with links you receive, even from friends, especially if they ask you to install an app or update.
