A new Android threat is using trusted phone numbers as lures. Sidestep Phishing: Friends don’t let friends get phished, and security researchers are warning of a new scam targeting them — using SMS links from a friend, family member or coworker can be the work of “ClayRat,” which is a fast-mutating malware family that uses its victims’ messaging apps to blast their contacts with malicious links.
How ClayRat infects your contacts using SMS lures
ClayRat starts with social engineering. Attackers are then seeding Telegram channels and fake brand websites with realistic download instructions for phony apps branded as TikTok, YouTube or Google Photos, mobile security firm Zimperium says. One campaign parodied a slick “YouTube Plus” website with instructions to skip Android’s built-in safeguards.
Installed, the malware asks for SMS privileges and rapidly makes the phone a distribution node. It blasts a short lure to the victim’s entire address book — messages contain the Russian phrase “Узнай первым!” (“Be the first to know!”) — paired with a malicious link. The hit rate — because the text appears to come from someone the recipient knows, you can nix that “ph,” multiplying your chances of getting a user to click through — will likely be much higher than on a cold phish.
For example, to bypass Android’s warnings regarding apps from unknown sources, ClayRat can display a spoofed Google Play update alert and trick the user into authorizing sideloading.
Zimperium says it has traced over 600 unique samples in a recent three‑month time frame, an indication that the operators are iterating quickly and trying out multiple lures.
What the Malware Can Do on an Infected Phone
In addition to its spreading capabilities, ClayRat is designed for surveillance and data exfiltration. Analysts found the functionality to intercept SMS text messages, exfiltrate call logs and take discreet snapshots. Such functions add risk of account takeover when the malware can read one‑time passcodes or compromise out‑of‑band authentication delivered by text.
According to Zimperium, the campaign has targeted Russian users — but the tactics of brand impersonation, Telegram distribution and contact‑based propagation go over well anywhere. They’ve shared indicators of compromise with Google, and known variants are being prevented by Google Play Protect where signatures are available. But fresh samples and look‑alike campaigns may still reach users who sideload apps or click on off‑store links.
Why SMS From Trusted Senders Works So Well
Rogues know that your contacts are the most powerful form of social proof you’ve got. A link from a trusted name eludes skepticism, especially if it’s hyped, phrased for now (“for the next 24 hours”), or “exclusive” content. The attackers seek to boost credibility by flooding Telegram threads with faked testimonials, exaggerated counts of downloads and polished visuals that mimic official brands.
This fits a broader trend. Verizon’s Data Breach Investigations Report still lists social engineering among its top attack patterns, and security firms are reporting accelerating uptake of mobile‑first phishing that does not originate via email. According to Proofpoint’s State of the Phish, a significant majority of businesses experienced SMS‑based phishing in 2020 — highlighting how threat actors are leveraging messaging media which people trust more and where there are fewer controls.
Red Flags — and Practical Ways to Protect Yourself
- When you get an unfamiliar link — even from someone you trust — stop and confirm through a different channel.
- Ask the sender to verify they intended to share it.
- Consider all APK files or “updates” outside the Google Play Store as hostile, especially if they ask you to disable protections or bypass a “special” Play prompt.
- Enable Play Protect and do not sideload.
- Review app permissions frequently — and if apps don’t require access to SMS, they shouldn’t get it.
- If your phone suddenly displays strange SMS activity, unexpected data usage or camera access prompts, look into it immediately and run a respected mobile security scan.
- Wherever feasible, move two‑factor authentication off SMS and onto an authenticator app or hardware key to limit the damage caused by SMS interception.
- Companies will need to block sideloading on managed mobile devices, track malicious domains and Telegram channels used in campaigns and educate employees to alert their IT teams about any messages that appear suspicious but were sent by colleagues.
- Malware threat defense solutions can detect new variants before they’ve been added to platform blocklists.
What to watch next as ClayRat operators iterate fast
The operators of ClayRat have demonstrated an ability to iterate quickly, changing domains, brands and messaging to outrun filters. Even if the current wave is concentrated primarily in one part of the world, the playbook — fake apps, social proof, contact‑based amplification — works anywhere. Plan for copycats to mimic the model.
The upshot: Treat any unfamiliar SMS link as a knock on the door after midnight. It could be nontoxic — but it could be ClayRat. The takeaways are to trust carefully, install only from reputable stores and keep your guard up so that your phone doesn’t serve as the next relay for somebody else’s malware campaign.