https://pepelac.news/en/posts/id15188-clayrat-android-malware-evolves-into-surveillance-tool

ClayRat Android malware evolves into surveillance tool

ClayRat Android malware now hijacks accessibility for full-device surveillance

ClayRat Android malware evolves into surveillance tool

Zimperium details how ClayRat evolved from simple Android malware into a powerful surveillance tool, abusing accessibility, blocking removal, and screen capture

2025-12-10T17:08:34+03:00

Researchers at Zimperium report a new, more sophisticated version of the Android malware ClayRat. Where the threat once acted as a basic infostealer pulling SMS and call logs, it has now evolved into a multipurpose surveillance tool with deeper system access and a built-in defense against removal. The shift feels like a troubling escalation that raises the stakes for everyday users.Early variants spotted in fall 2024 were relatively limited. Now ClayRat taps Android accessibility services, allowing attackers to operate the device interface with few constraints. The toolkit has expanded to include keystroke logging, PIN capture, password reading, and even automatic screen unlock.Specialists also point to a new anti-removal safeguard: ClayRat intercepts taps, blocks user commands, and swaps in actions to prevent powering off the phone or uninstalling the malware. On-screen, fake overlays may appear—such as a "system update" window—that hide what is really happening. That sleight of hand can leave users second-guessing what they see.To spread, the trojan camouflages itself as popular apps: video service clients, messengers, and local taxi or parking services. Zimperium identified more than 25 lure domains, including counterfeit versions of YouTube Pro and Car Scanner ELM. The attackers also host APK files on Dropbox, thereby sidestepping security filters. Leaning on familiar brands and legitimate cloud storage makes the ruse feel more convincing.Once installed, ClayRat gains near-complete control: it records the screen via the MediaProjection API, intercepts notifications, alters responses, and can steal one-time codes or meddle with conversations. With that foothold, even routine actions may not behave quite as expected.

ClayRat, Android malware, spyware, accessibility abuse, anti-removal, keystroke logging, PIN capture, fake overlays, MediaProjection API, screen recording, notification interception, Dropbox APK

2025

Danny Weber

news

ClayRat Android malware now hijacks accessibility for full-device surveillance

Zimperium details how ClayRat evolved from simple Android malware into a powerful surveillance tool, abusing accessibility, blocking removal, and screen capture

Danny Weber, Editor

17:08 10-12-2025

Early variants spotted in fall 2024 were relatively limited. Now ClayRat taps Android accessibility services, allowing attackers to operate the device interface with few constraints. The toolkit has expanded to include keystroke logging, PIN capture, password reading, and even automatic screen unlock.

Specialists also point to a new anti-removal safeguard: ClayRat intercepts taps, blocks user commands, and swaps in actions to prevent powering off the phone or uninstalling the malware. On-screen, fake overlays may appear—such as a "system update" window—that hide what is really happening. That sleight of hand can leave users second-guessing what they see.

To spread, the trojan camouflages itself as popular apps: video service clients, messengers, and local taxi or parking services. Zimperium identified more than 25 lure domains, including counterfeit versions of YouTube Pro and Car Scanner ELM. The attackers also host APK files on Dropbox, thereby sidestepping security filters. Leaning on familiar brands and legitimate cloud storage makes the ruse feel more convincing.

Once installed, ClayRat gains near-complete control: it records the screen via the MediaProjection API, intercepts notifications, alters responses, and can steal one-time codes or meddle with conversations. With that foothold, even routine actions may not behave quite as expected.