Within ongoing cybersecurity investigations, specialists at the company Zimperium have revealed information about the resurgence and modernization of the Android trojan ClayRat, which has transformed from a personal data theft tool into a robust surveillance and control mechanism. This trojan was first identified in October 2024, when its capabilities included intercepting SMS messages and call logs. According to analytical details provided by zLabs, the updated version of the trojan has significantly broadened its functional capabilities, allowing it to be categorized as one of the most perilous mobile threats of the modern era.
A pivotal element of the trojan’s upgrade involved its utilization of Android features intended for users with limited capabilities to gain unauthorized access to the device. The new iteration of the trojan incorporates a keylogger that captures PINs and passwords, and also performs automatic screen unlocking. Furthermore, the trojan possesses a self-preservation module that prevents its removal, blocking user actions and disguising itself as system processes, which renders its deletion or deactivation exceedingly challenging.
To conceal its operations, the trojan generates deceptive user interfaces, such as notifications for system updates, enabling it to integrate into the device’s ecosystem without drawing user attention. Device infection occurs through masquerading as legitimate applications, including video platforms, instant messengers, taxi services, and parking applications. During the research, over 25 domain names utilized for distributing malicious APK files were identified, which included fraudulent versions of the “YouTube Pro” and “Car Scanner ELM” applications. To bypass web filters, attackers actively employ services like Dropbox, allowing them to effectively propagate the malware.
Upon successful installation, the trojan achieves complete command over the device, employing the MediaProjection API to record the screen and capture notifications. This permits malicious actors not only to steal one-time passwords but also to interfere with users’ communication processes. Zimperium emphasizes that the updated trojan version presents a substantial hazard, illustrating the rapid evolution of mobile threats and pointing to the inadequacy of conventional defense measures based on static detection and prevention techniques.
It is worth noting that this trojan was first found in Russia in October of this year, where it disguised itself as popular applications such as WhatsApp (owned by Meta corporation, recognized as extremist and banned in Russia), TikTok, Google Photos, and YouTube. Last week, cyber police apprehended a student from the Krasnodar Cooperative Institute suspected of using this malware. This incident underscores the relevance of the cybersecurity issue and the necessity for developing more comprehensive and adaptive defense methodologies.
About the Author
