Fake WhatsApp app spreads new Android spyware ClayRat

A new wave of Android spyware

A new Android spyware named ClayRat has been discovered, posing as popular apps such as WhatsApp, TikTok, YouTube, and Google Photos. According to security researchers at Zimperium, the malware spreads through fake download sites and Telegram channels, tricking users into installing it outside of Google Play.

Once installed, ClayRat quietly takes control of the device. It can read SMS messages, steal photos and call logs, and even send malicious links to the victim’s contacts to spread further. Dozens of variants have already been found, showing how quickly this spyware family evolves.

How ClayRat spreads

ClayRat is distributed through phishing websites that look like official app pages. These sites feature realistic logos, fake reviews and inflated download numbers, making them appear trustworthy.

When a user sideloads one of these fake apps, the installation process prompts them to set it as their default SMS app. Granting that permission allows ClayRat to intercept and send messages silently — giving attackers direct access to sensitive data.

What the spyware can do

Once active, ClayRat can:

• Intercept and forward SMS messages to attacker-controlled servers.
• Access call logs, device data, photos and videos.
• Send malicious links to contacts to propagate further.
• Abuse accessibility permissions to remain hidden and persistent.

Some versions can even activate the phone’s camera without the user’s consent — turning a fake social app into a full-fledged spy tool.

Who’s being targeted

So far, most detected infections appear in Russia and neighboring regions, spread via Telegram groups and localized fake websites. However, experts warn that the campaign’s adaptability makes global expansion highly likely. With the apps mimicking worldwide brands, anyone could become a target.

Red flags to watch for

• Installing apps from outside Google Play.
• Being asked to make a new app your default SMS handler.
• Contacts receiving suspicious links or messages from you.
• Noticeable drops in performance or unexplained data usage spikes.

If you see any of these signs, it’s time to act fast.

How to remove ClayRat

1. Disconnect your phone (enable airplane mode).
2. Check Settings → Apps → Default apps → SMS app and switch back to your default Messages app.
3. Uninstall suspicious apps; if it won’t uninstall, reboot into Safe Mode first.
4. Run an antivirus scan using Google Play Protect or another trusted tool.
5. Change passwords and enable two-factor authentication (2FA) on key accounts.

How to stay safe

• Avoid sideloading APKs from Telegram or unknown sources.
• Verify developers and download only from Google Play.
• Pay attention to permission requests — especially those involving SMS or accessibility.
• Keep your Android OS updated and enable Play Protect.
• Warn friends if you suspect your phone may have spread links automatically.

The bigger picture

ClayRat is another reminder of how easily cybercriminals exploit our trust in familiar app icons. By mixing social engineering with deep system permissions, they can take over a phone in seconds. Staying cautious with app sources and permissions is still the best defense.