{"id":3332,"date":"2025-10-13T09:47:31","date_gmt":"2025-10-13T09:47:31","guid":{"rendered":"https:\/\/cert-mu.govmu.org\/cert-mu\/?page_id=3332"},"modified":"2025-10-13T09:48:17","modified_gmt":"2025-10-13T09:48:17","slug":"clayrat-android-malware-masquerades-as-whatsapp-google-photos","status":"publish","type":"page","link":"https:\/\/cert-mu.govmu.org\/cert-mu\/?page_id=3332","title":{"rendered":"ClayRat Android Malware Masquerades as WhatsApp & Google Photos"},"content":{"rendered":"\t\t
\n\t\t\t\t\t\t
\n\t\t\t\t\t\t
\n\t\t\t\t\t
\n\t\t\t
\n\t\t\t\t\t\t
\n\t\t\t\t
\n\t\t\t\t\t\t\t\t\t

ClayRat, a rapidly evolving Android spyware campaign, has surged in activity over the past three months, with zLabs researchers observing more than 600 unique samples and 50 distinct droppers.<\/p>

Primarily targeting Russian users, the malware masquerades as popular applications such as WhatsApp, Google Photos, TikTok, and YouTube, luring victims into installing malicious APKs via deceptive Telegram channels and phishing websites.<\/p>

Once installed, ClayRat exfiltrates SMS messages, call logs, notifications, and detailed device information; captures photos with the front-facing camera; and even sends SMS messages or places calls directly from the victim\u2019s device, turning each infection into a potent surveillance and distribution hub.<\/p>

The campaign relies on a sophisticated mix of social engineering and web-based deception to exploit user trust.<\/p>

Attackers register lookalike domains such as a fake GdeDPS landing page to redirect visitors to\u00a0Telegram channels\u00a0where the malicious APK is hosted.<\/p>

Read More:<\/p>

https:\/\/gbhackers.com\/clayrat-android-malware\/<\/a><\/p>

\u00a0<\/p>\t\t\t\t\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t\t<\/div>\n\t\t<\/div>\n\t\t\t\t\t<\/div>\n\t\t<\/section>\n\t\t\t\t<\/div>\n\t\t","protected":false},"excerpt":{"rendered":"

ClayRat, a rapidly evolving Android spyware campaign, has surged in activity over the past three months, with zLabs researchers observing more than 600 unique samples and 50 distinct droppers. Primarily targeting Russian users, the malware masquerades as popular applications such as WhatsApp, Google Photos, TikTok, and YouTube, luring victims into installing malicious APKs via deceptive Telegram channels and phishing websites. Once installed, ClayRat exfiltrates SMS messages, call logs, notifications, and detailed device information; captures photos with the front-facing camera; and even sends SMS messages or places calls directly from the victim\u2019s device, turning each infection into a potent surveillance and\u2026<\/p>\n","protected":false},"author":7,"featured_media":0,"parent":0,"menu_order":0,"comment_status":"closed","ping_status":"closed","template":"","meta":{"footnotes":""},"class_list":["post-3332","page","type-page","status-publish","hentry"],"blocksy_meta":"","_links":{"self":[{"href":"https:\/\/cert-mu.govmu.org\/cert-mu\/index.php?rest_route=\/wp\/v2\/pages\/3332","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/cert-mu.govmu.org\/cert-mu\/index.php?rest_route=\/wp\/v2\/pages"}],"about":[{"href":"https:\/\/cert-mu.govmu.org\/cert-mu\/index.php?rest_route=\/wp\/v2\/types\/page"}],"author":[{"embeddable":true,"href":"https:\/\/cert-mu.govmu.org\/cert-mu\/index.php?rest_route=\/wp\/v2\/users\/7"}],"replies":[{"embeddable":true,"href":"https:\/\/cert-mu.govmu.org\/cert-mu\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=3332"}],"version-history":[{"count":4,"href":"https:\/\/cert-mu.govmu.org\/cert-mu\/index.php?rest_route=\/wp\/v2\/pages\/3332\/revisions"}],"predecessor-version":[{"id":3337,"href":"https:\/\/cert-mu.govmu.org\/cert-mu\/index.php?rest_route=\/wp\/v2\/pages\/3332\/revisions\/3337"}],"wp:attachment":[{"href":"https:\/\/cert-mu.govmu.org\/cert-mu\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=3332"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}