Insights, news, education and announcements from PolySwarm | accessibility service abuse

A New Variant of ClayRAT Transmutes

Dec 12, 2025 2:03:27 PM / by The Hivemind posted in Threat Bulletin, accessibility service abuse, lockscreen bypass, ClayRAT, Android Spyware, MediaProjection API, screen recording malware

Verticals Targeted: Not specified
Regions Targeted: Russia
Related Families: Previous ClayRAT variants

Executive Summary

The ClayRAT Android spyware family has returned with a markedly more sophisticated variant that heavily weaponizes Android Accessibility Services and Default SMS privileges to achieve near-complete device takeover. New capabilities include automated lock-screen credential theft, persistent screen recording, programmable overlays, and interactive fake notifications designed to phish user replies.

Read More

Godfather Evolves With Advanced On-Device Virtualization Capabilities

Jun 30, 2025 1:56:44 PM / by The Hivemind posted in Threat Bulletin, Evolving Threat, Android Malware, Godfather Malware, Mobile Banking Trojan, on-device virtualization, cryptocurrency app attacks, accessibility service abuse, overlay attacks, mobile security threats, banking app hijacking

Verticals Targeted: Financial
Regions Targeted: Not specified
Related Families: None

Executive Summary

Industry researchers have identified an advanced evolution of the Godfather banking trojan, which employs on-device virtualization to hijack mobile banking and cryptocurrency applications on Android devices. This sophisticated technique allows attackers to monitor and control user interactions within a virtualized app environment, posing a significant threat to mobile security.

Read More