Evolved ClayRat Spyware Gains Self-Defense, Using Accessibility Abuse to Block Uninstallation and Steal Keys
Ddos 
A notorious Android spyware family has resurfaced with dangerous new capabilities, evolving from a simple data thief into a sophisticated surveillance tool that can actively fight off attempts to remove it. A new report from Zimperium’s zLabs details the resurgence of ClayRat, a banking trojan-turned-spyware that is targeting users through fake apps and cloud storage services.
First identified by zLabs in October 2024, the original ClayRat was a potent but standard threat capable of stealing SMS messages and call logs.
According to the Zimperium report, “Our continuous monitoring of this malware family has since uncovered a new variant with significantly upgraded capabilities.”
The critical shift lies in how the malware digs into the Android operating system. “This updated ClayRat strain now leverages Accessibility Services in addition to exploiting Default SMS privileges,” the researchers note. By abusing these powerful permissions—intended to help users with disabilities—the malware gains near-total control over the device interface.
The abuse of Accessibility Services has unlocked a suite of invasive features. The report highlights that this access enables a range of actions, including a “Keylogger to record pin/password/pattern and automatically unlock the lockscreen.”
Perhaps most alarmingly, ClayRat has learned self-defense. If a user attempts to remove the malware, it fights back using “programmatic button-tapping to prevent the victim from easily powering down the device or uninstalling the malicious application.”
It also uses psychological tricks to freeze the user out. The malware “places different overlays on top of victim screen such as system update overlay to avoid victim interaction,” effectively blinding the user while it performs malicious tasks in the background.
To infect devices, ClayRat masquerades as popular or useful applications. “The malware attempts to mimic a variety of legitimate entities, such as popular video and messaging platforms, as well as localized services, including Russian taxi and parking applications,” the report states.
Zimperium observed the malware hosting over 25 fraudulent phishing domains. Specific lures included fake versions of “YouTube Pro” and “Car Scanner ELM,” a diagnostic tool for vehicles.
In a move to bypass traditional web filters, the attackers have also turned to legitimate cloud infrastructure. “The malware was using Dropbox, a cloud storage service… to distribute its malicious APK files.”
Once installed, ClayRat transforms the device into a comprehensive spying tool. It can execute “screen recording using the MediaProjection API,” allowing attackers to watch the victim’s activity in real-time. It also “creates fake custom notifications and steals the victim’s reply,” a tactic likely used to intercept two-factor authentication codes or hijack conversations.
“Together, these capabilities make ClayRat a more dangerous spyware compared to its previous version,” Zimperium warns, marking a significant escalation in the mobile threat landscape.
Donate