Post views: 20

“New ClayRat spyware known as ClayRat attacks Android users through fake WhatsApp and TikTok apps.”

ClayRat, a rapidly evolving Android espionage operation, used a group of similar phishing sites and Telegram channels to target consumers in Russia by posing as well-known apps like YouTube, WhatsApp, Google Photos, and TikTok in order to trick them into installing them.

Vishnu Pratapagiri, Scholar, Zimbrium

In addition, the virus is spread by sending malicious URLs to all contacts in the victim’s phone book. This indicates that attackers are using aggressive techniques to use infected devices as a distribution channel.

With each iteration adding new layers of obfuscation to evade detection efforts and stay ahead of security defenses, the mobile security company claimed to have detected at least 600 samples and 50 droppers in the past 90 days. The Command and Control (C2) panel that can be used to remotely manage compromised devices is referenced in the malware’s name.

Unaware users are redirected to adversary-controlled Telegram channels from these fraudulent sites, where they are tricked into downloading APK files by distributing fabricated certificates and inflating download numbers as evidence of their popularity.

In some cases, fraudulent websites claiming to provide ‘YouTube Plus’ with premium features have actually been found to contain APK files that bypass Google’s security measures, which prevent software from sideloading on devices running Android 13 and above.

Zeberium

After installation, ClayRat connects to its C2 infrastructure via standard HTTP and prompts users to set it as their default SMS application in order to access private information and messaging features. This allows ClayRat to secretly record call logs, text messages, and notifications and spread the malware to all other contacts.

The malware may also make phone calls, obtain device information, take photos using the device’s camera, and send a list of all downloaded applications to the C2 server, among other things.

In addition to its monitoring capabilities, ClayRat poses a serious threat because it can automatically turn an infected device into a distribution node, allowing threat actors to rapidly expand their reach without requiring human involvement.

Researchers from the University of Luxembourg and Cheikh Anta Diop University discovered that pre-installed apps on low-cost Android smartphones sold in Africa have higher privileges. A vendor-provided package sends device identifiers and location information to a third party.

“145 apps (9%) expose sensitive data, 249 (16%) expose critical components without adequate safeguards, and many of them present additional risks: 226 apps execute privileged or dangerous commands, 79 apps interact with SMS messages (read, send, or delete), and 33 perform silent installs,” according to the study, which looked at 1,544 APK files. Collected from seven African smartphones.

About the author

Suraj Kohli Content specialist in technical writing about cybersecurity and information security. He has written many great articles related to cyber security concepts, with the latest trends in cyber awareness and ethical hacking. Find out more about “He”.

Read more:

Operation Chakra-V: CBI raids 6 states in ‘digital arrest’ scam case.

About the author