A new Android spyware called Clearat is luring potential victims in the form of popular apps and services like WhatsApp, Google Photos, TikTok and YouTube.
The malware is targeting Russian users through Telegram channels and malicious websites that appear legitimate. It can steal SMS, messages, call logs, notifications, take photos and even make phone calls.
Malware researchers at mobile security company Zimperium say they have documented more than 600 samples and 50 different droppers over the past three months, indicating an active effort by the attacker to scale up the operation.
claret campaign
The Clarett campaign, named after the malware’s command and control (C2) servers, uses carefully crafted phishing portals and registered domains that closely mimic legitimate service pages.
These sites host or redirect visitors to Telegram channels where Android package files (APKs) are provided to unwitting victims.
To add legitimacy to these sites, threat actors have added fake comments, inflated download numbers, and used a fake Play Store-like UX with step-by-step instructions on how to sideload APKs and bypass Android’s security warnings.
Source: Zimperium
According to Zimperium, some of the Claret malware samples act as droppers, where the app the user sees is a fake Play Store update screen and an encrypted payload is hidden in the app’s properties.
The malware nests in the device using a “session-based” installation method to bypass Android 13+ restrictions and reduce user suspicion.
“This session-based installation method reduces the perceived risk and increases the likelihood that spyware will be installed as a result of a webpage visit,” the researchers say.
Once activated on a device, the malware can use the new host to spread to more victims by using it as a springboard to send SMS to the victim’s contact list.
Source: Zimperium
Spyware Capabilities
The Clearat spyware takes over the role of the default SMS handler on infected devices, which allows it to read all incoming and stored SMS, intercept them before other apps can, and modify the SMS database.
Source: Zimperium
The spyware establishes communication with C2, which is AES-GCM encrypted in its latest versions, and then receives one of 12 supported commands:
- get_apps_list – send list of installed apps to C2
- get_calls – send call logs
- get_camera – take a front-camera photo and send it to the server
- get_sms_list – pull out SMS messages
- MassSMS – send mass SMS to all contacts
- send_sms / make_call – send SMS or make a call from the device
- notifications/get_push_notifications – Capture notifications and push data
- get_device_info – collect device information
- get_proxy_data – Get a proxy WebSocket URL, add device ID, and initialize a connection object (converts HTTP/HTTPS to WebSocket and schedules tasks)
- Retransmission – resend an SMS to the number received from C2
When the necessary permissions are granted, the spyware automatically collects the contacts and programmatically prepares and sends SMS messages to each contact for mass dissemination.
As a member of the App Defense Alliance, Zimperium shared Full IoCs With Google, Play Protect now blocks known and new variants of the Clearit spyware.
However, the researchers highlight that the campaign is very large, with more than 600 samples on record in three months.
attend Breach and Attack Simulation Summit and experience future of security verificationHear from top experts and see how AI-powered BAS Changing breach and attack simulations.
Don’t miss the event that will shape the future of your security strategy
