ClayRat: Android spyware operation collapses after arrest | 2026
Executive Summary
ClayRat is an Android spyware operation that targeted users in Russia and appears to have collapsed by December 2025 after its infrastructure went offline and the suspected developer was reportedly arrested in Krasnodar. Public reporting and researcher analysis indicate the malware supported surveillance and remote control functions, while Zimperium tracked more than 600 samples and around 50 droppers over roughly three months. The campaign spread through Telegram channels and phishing sites impersonating popular apps and local services. For defenders, the takeaway is straightforward: mobile malware campaigns can scale quickly through social engineering, but they still leave detection opportunities in sideloading flows, SMS abuse, fake app distribution, and command-and-control traffic.
What happened?
- October 2025: Researchers observed ClayRat gaining traction as an Android spyware / RAT campaign targeting users in Russia.
- October–December 2025: Zimperium said it identified 600+ samples and approximately 50 droppers associated with the campaign.
- During the campaign: Operators reportedly distributed malicious APKs through Telegram channels, fake app pages, and phishing sites impersonating WhatsApp, Google Photos, TikTok, YouTube, taxi, and parking services.
- Backend analysis phase: Solar said the operation showed major security weaknesses, including plaintext credentials, weak obfuscation, predictable command naming, and exposed backend components.
- By December 2025: Solar reported that all known ClayRat C2 servers had gone offline.
- Reported, not independently verified here: Public reporting linked the shutdown window to the arrest of a student in Krasnodar suspected of developing and marketing ClayRat.
Who is affected?
The campaign primarily targeted Android users in Russia, especially users willing to sideload apps from links shared through Telegram channels, fake update pages, or lookalike websites. High-risk exposure paths included:
- consumer mobile users tricked into installing APKs outside official app stores
- victims lured by fake versions of popular social and utility apps
- contacts of already infected users, due to ClayRat’s SMS-based propagation behavior
There is no strong evidence in the reviewed sources that the campaign primarily targeted a single enterprise vertical. The larger risk was broad consumer compromise with downstream fraud, surveillance, and social-engineering potential.
Initial access & kill chain (MITRE-friendly)
ClayRat followed a relatively clear mobile intrusion chain:
- Initial access: Users were redirected from Telegram channels or fake websites to malicious APK downloads.
- Execution: Victims installed the APK manually, often after being coached through sideloading prompts or fake update flows.
- Privilege / abuse: Some variants abused the default SMS handler role to gain broad access to messaging functions.
- Persistence / control: Infected devices connected to attacker-controlled infrastructure over HTTP or WebSocket-backed channels.
- Collection: The spyware harvested SMS, call logs, contacts, device information, notifications, photos, and screen data.
- Action on objectives: Operators could issue remote commands, push additional actions, and use infected phones to send malicious SMS to the victim’s contacts.
| Kill chain stage | Observed ClayRat behavior | ATT&CK-style mapping |
|---|---|---|
| Initial access | Fake apps, phishing pages, Telegram distribution | Phishing / drive-by style social engineering |
| Execution | Manual APK installation / droppers | User execution |
| Credential / data collection | SMS, contacts, call logs, notifications, camera, screen capture | Collection |
| C2 | Remote commands via attacker infrastructure | Command and Control |
| Propagation | Mass SMS to victim contacts | Lateral spread via trusted contact abuse |
Indicators and detection
Defenders should focus less on a single IOC set and more on suspicious mobile distribution patterns plus post-install abuse.
EDR / mobile threat defense
- alert on sideloaded APK installation from messaging links or untrusted browser sessions
- look for apps requesting SMS handler privileges without a legitimate messaging use case
- flag apps that access SMS, contacts, camera, and notifications in unusually tight sequence
- detect fake app branding that imitates WhatsApp, Google Photos, TikTok, or YouTube outside trusted stores
Email / messaging security
- block or review links to APK-hosting domains shared through SMS, chat, or Telegram
- monitor campaigns that reuse short social-proof messages to push users toward app sideloading
- flag lure messages translated as “Be the first to know!” or similar urgency-based referral text
Identity / user awareness
- educate users that Android security prompts for default SMS handler changes are high-risk events
- train staff and users to treat Telegram-distributed APKs as untrusted unless explicitly validated
Network / proxy / DNS
- investigate mobile traffic to newly registered domains serving APKs or fake app landing pages
- look for devices making repeated outbound connections to suspicious HTTP or WebSocket endpoints after APK installation
- track domain and IP overlaps across fake app infrastructure and backend panels
Example KQL pattern
Example pattern — tune for your telemetry model.
kqlDeviceNetworkEvents | where Timestamp > ago(14d) | where RemoteUrl has_any ("apk", "update", "telegram", "kpmail") or InitiatingProcessCommandLine has_any ("package installer", "session install") | summarize hits=count(), urls=make_set(RemoteUrl, 20) by DeviceName, AccountName | order by hits desc
Containment & remediation checklist
🔴 Immediate containment (0–24h)
- identify Android devices that installed apps from Telegram links, SMS links, or non-store APK sources
- isolate suspected mobile devices from sensitive enterprise apps and VPN access
- revoke active sessions tied to impacted mobile users in email, banking, and collaboration apps
- review SMS handler changes and remove untrusted apps from that role immediately
- collect forensic evidence from affected devices before wiping when possible
- block known ClayRat-related domains, URLs, and APK hashes in mobile defense tooling
- notify users who may have received SMS messages from infected contacts
- force password resets for accounts accessed from compromised devices
🟠 Hardening (24–72h)
- restrict enterprise Android devices from sideloading apps unless explicitly approved
- require mobile threat defense or EDR coverage for BYOD devices accessing corporate services
- tune detections for suspicious SMS, contact, notification, and camera access combinations
- add detection content for fake-app themes and Telegram-mediated malware delivery
- review mobile app allowlists and enforce official-store-only installation where possible
- enrich detections with threat intelligence on malicious mobile infrastructure
🟡 Longer-term controls (1–4 weeks)
- build a mobile-focused incident response playbook for sideloaded APK infections
- expand user training around social engineering, fake update flows, and app sideloading risks
- map mobile telemetry into central SOC workflows instead of handling it in a separate silo
- validate whether high-risk user populations need stronger device attestation and conditional access controls
- exercise takedown and law-enforcement coordination procedures for mobile phishing infrastructure
Strategic analysis (what this signals)
ClayRat matters less because it was uniquely sophisticated and more because it shows how quickly mobile malware can scale when operators combine Telegram distribution, fake app branding, and built-in device permissions. The operation also reinforces an older lesson: many criminal projects fail not because defenders miss them, but because operators make avoidable OPSEC and engineering mistakes.
The reported collapse appears tied to two reinforcing pressures:
- technical fragility, including plaintext backend secrets, weak obfuscation, and exposed infrastructure
- operational pressure, including public reporting and reported law-enforcement action against the suspected developer
For defenders, the broader signal is that mobile spyware ecosystems remain highly active, and even short-lived campaigns can produce hundreds of samples in a single quarter.
What happened?
ClayRat was an Android spyware operation that appears to have shut down after backend failures and a reported arrest of its suspected developer in Russia.
Who is affected?
Primarily Android users in Russia who installed apps from phishing sites, Telegram channels, or lookalike app pages.
How do I know if I’m impacted?
Look for sideloaded APKs, unexpected SMS handler changes, unexplained outbound messages to contacts, and suspicious access to SMS, contacts, camera, or notifications.
What should I do first?
Isolate the device, revoke sessions tied to that user, review installed apps and SMS handler settings, and collect evidence before remediation where feasible.
Is the campaign still ongoing?
Reviewed reporting suggests the known ClayRat infrastructure was offline by December 2025, but defenders should still hunt for residual infections and copycat activity.
Was the arrest confirmed?
The arrest was publicly reported and cited by reporting and research summaries, but this draft does not independently verify judicial or police records.
