Verticals Targeted: Not specified
Regions Targeted: Russia
Related Families: Previous ClayRAT variants
Executive Summary
The ClayRAT Android spyware family has returned with a markedly more sophisticated variant that heavily weaponizes Android Accessibility Services and Default SMS privileges to achieve near-complete device takeover. New capabilities include automated lock-screen credential theft, persistent screen recording, programmable overlays, and interactive fake notifications designed to phish user replies.
Key Takeaways
- The new variant of ClayRAT steals PIN, password, or pattern by monitoring SystemUI/Keyguard events via Accessibility Services and can automatically unlock the device thereafter.
- It initiates continuous screen recording through MediaProjection API and streams footage over WebSocket using a foreground service for persistence.
- The malware displays multiple overlay types and performs automated clicks to block uninstallation or power-off attempts.
- It generates fake interactive notifications to capture user replies and harvests all active device notifications.
What is ClayRAT?
In October we reported on ClayRAT. Zimperium has recently discovered a new variant of ClayRAT. The updated ClayRAT strain, observed in over 700 unique APKs since October, continues to rely primarily on phishing sites that impersonate popular video platforms, messaging apps, and region-specific services such as Russian taxi and parking applications. Distribution has expanded to include Dropbox-hosted payloads alongside more than 25 active fraudulent domains. Like its predecessor, the malware employs a dropper that stores an AES/CBC-encrypted payload in the assets folder, decrypting and executing it at runtime with a hard-coded key.
Once installed, the APK aggressively requests Default SMS handler status before guiding the victim to enable Accessibility Services. With these permissions in hand, the malware programmatically disables Google Play Protect through automated on-screen clicks, preventing easy detection or removal. Its most dangerous advancement lies in lock-screen credential theft: by intercepting Accessibility events from the SystemUI/Keyguard component, ClayRAT reconstructs PIN digits, password characters, or pattern node sequences in real time and stores them in SharedPreferences under the key “lock_password_storage.” The stored credential is later reused with the auto_unlock command to dispatch gestures that unlock the device without user intervention.
Screen-capture functionality is triggered by the turbo_screen command, which establishes a VirtualDisplay feeding frames into an ImageReader. Captured images are processed in a background thread and transmitted via WebSocket, with the user-agent string “ClayRemoteDesktop” clearly indicating remote desktop intentions. A foreground service ensures recording continues even when the malicious app is not in the foreground.
Overlay abuse reaches new levels of sophistication in this variant. The show_block_screen command can present full-screen black layouts, fake system-update or battery dialogs, or fully interactive PIN-entry overlays that exfiltrate entered digits immediately. These overlays, combined with automated button-tapping routines, effectively prevent victims from powering off the device or navigating to the uninstall screen.
Notification manipulation has also been enhanced in ClayRAT version 3.0.8. The send_push_notification command creates custom notifications, some interactive, that prompt for user input. Any reply is intercepted and forwarded to the C2 as a potential credential. Additional commands harvest both active and historical notifications from the device.
The command set is extensive and reveals full remote-control ambitions: programmatic taps and swipes, launching arbitrary apps, injecting text into fields, forcing calls or mass SMS, and initiating VNC-like sessions via start_desktop. Persistence and anti-analysis techniques ensure the malware remains difficult to remove once Accessibility privileges are granted. This evolution transforms ClayRAT from a relatively straightforward SMS stealer into a highly evasive remote access trojan capable of total device compromise. PolySwarm analysts consider ClayRAT to be an evolving threat.
IOCs
PolySwarm has multiple samples of ClayRAT.
7ad90bb0b234113b204be959367eced2f12eaa9bc082e7f5b35a5940608060de
5f958f64169f1c46d785ac2f9ac8a040ee970bf06d867242565db0f09da9d7ff
c5c8a6f9121e7a7b6d76c7dc59af98a26e1a592d2a419ecd72d2e64e7b6fe00f
86884ce393c1bc68e5c164402d1e13cb7b367aa31354a64d664abdc33625d2a3
76737513e5cf3f233c2accf705a360979760c99ba3165e6eec9ba4bc20937abe
d988326c80f7d597612959eefc6ecc9388655ae1099f444addd7d29786bdbb55
8a7c6e420bfed70a63cfa6e7405a3330e7593ede36f173585f7e1578cb9364f2
e193d8e63550307df428b9d6e084825a5aabd3e577a702244747d7a6fb1ecf55
0862c519274e489ab399efaf09af4f2e2657a57c837563be4dfbb3817218abcc
951853b27a1d6ef507e9006dc3bb160ac0dfd28bf47e2b21e446f3464cdd38d2
fea3881ceff7e132f27ce1e1057489081094eea5f4ae8333b7e10818989bcf68
54f019927a06db98f3c2c1d20530396b68e529d3bc32e8011efbdf097c25ae65
efbce56f086fbb9e80b22e7cd206d875c93987e4b7d8ccc57315f52ae8d3a027
0795efd09fcd8e016c83c2efba03530a7a61f02fede9ca3a54a538154928386b
e46c16b307bcde3d193eff0d01e19f8e87ee639fb267ab71325db5a5a0ee961c
290d3d3a75eefff977bb02b748778a00c2d968ea9504941276acd0825876f8a8
6dac01b1cf56023a73fee04f3901c39604fb24c408418baf900890f56cc80e2a
71e72a9a8f63e7d96490e32882285b0334dd8851a3fc5b792e911b4af7477339
0b540e65ba65a38b79ce2e8034da9b4b6b943ca5702af3933af44712929ce88e
6d38d0890584ea3c26116bc1ef2bf0459f60c208e71c0bf2be0145def293e1b9
Click here to view all samples of ClayRAT in our PolySwarm portal.
Don’t have a PolySwarm account? Go here to sign up for a free Community plan or subscribe.
Contact us at hivemind@polyswarm.io | Check out our blog | Subscribe to our reports.
