A new wave of Android-targeting malware is putting mobile trust and messaging security under pressure. As fraudsters evolve their tactics to exploit user habits and app ecosystems, industry collaboration becomes critical. MEF CEO Dario Betti explains why unified defenses, smarter authentication, and faster threat sharing are essential to protect both users and businesses in this landscape.
It starts with a ping. A commuter unlocks their Android phone between stops. An SMS flashes up or it is just a message in a Telegram channel: “Upload to the new Tik Tok premium app for free.”
The link looks familiar enough. The logo seems right. One tap can’t hurt, they think. That’s how ClayRat, the new Android malware, can slip in, it has targeted Russian users. No exact number is currently available for the total number of phones affected by the ClayRat spyware. Since its discovery in early October 2025, mobile security firm Zimperium has noted the malware is spreading at an “alarming rate” and has already observed over 600 unique malware samples and 50 “droppers”, the initial pieces of code that download the full malware. Once a phone is infected, the spyware gains access to the user’s contacts and sends malicious links to everyone in the address book. In addition to its self-spreading nature, the threat actors are constantly updating the malware.
A call to the MEF community Malware evolves in days. Our collaboration must move faster. Bring what you’re seeingnew lures, fresh indicators, filtering results, SDK concerns—to the table so others can adapt before the next wave hits.”
ClayRat isn’t the noisy kind of malware. It doesn’t throw lots of pop-ups or drain your battery in minutes. It’s careful. Patient. It looks for a way to stay and it self-propagate at fast rate. It asks politely for “accessibility” to “help you complete the update.” It requests “notification access” to “deliver codes reliably.” With each permission, the door opens wider. Minutes later, the phone still feels like their usual phone but parts of it no longer belong to them, but to fraudsters.
Think of ClayRat as a shape-shifter. It’s modular, which means it can be just a downloader today and a data thief tomorrow. It learns your device—your apps, messages, tokens—and quietly forwards what matters: contacts, SMS/OTT messages, call logs, location, even photos. It sits in the middle of your communications, watching for OTPs and approval prompts, ready to hijack an account the moment you blink. It survives resets, patches, and updates by clinging to elevated privileges and system settings most people never inspect.
How does it get in? It doesn’t break the door. It persuades you to open it. Smishing messages. Fake delivery notices. “Security updates” hosted off-store. Links shared by compromised friends. On Android, it often rides in through sideloaded APKs and deceptive permissions.
What’s really at risk? Money, first. A stolen OTP here, a diverted push approval there, and an attacker is in your banking app or marketplace account. Then identity. A handful of personal details, your address, a passport scan in your photos—suddenly, other accounts start falling like dominoes. Trust takes the longest to repair. Your number begins sending lures to your contacts. Your accounts greet people you care about with someone else’s words. In the background, your phone becomes infrastructure—proxying traffic, running commands, feeding a criminal’s network while your battery and data quietly drain.
What would have stopped this?
- Not tapping the link. Navigating to the official site or app independently.
- Installing only from official stores. No “modded” apps, no off-store updates.
- Questioning permissions. Why does a “security update” need Accessibility, Notification access, or Device Admin?
- Watching the small signals. Battery, data, strange prompts, unexpected sent messages—small smudges that suggest a bigger fingerprint.
What this means for all of us at MEF, ClayRat is not just another “malware story.” It’s a test of our ecosystem’s fabric—how brands send messages, how telcos filter threats, how CPaaS and aggregators enforce hygiene, how app developers manage SDKs, how regulators balance safety and usability.
- Identity and trust in messaging: We must keep pushing for sender authentication, registries, and anti-spoofing that stop smishing without sidelining legitimate traffic.
- Supply chain integrity: SDK due diligence, code signing, store vetting, and faster takedowns of malicious packages are not “nice to have”—they’re table stakes.
- Interoperable defenses: Operators, firewalls, aggregators, OEMs, and security vendors need shared signals and shared language—IOCs, telemetry, and policies that travel as fast as the threats do.
- Consumer clarity: We owe users simpler cues—clear labels, fewer scary prompts, stronger defaults. Security should feel intuitive, not exhausting.
A call to the MEF community Malware evolves in days. Our collaboration must move faster. Bring what you’re seeing new lures, fresh indicators, filtering results, SDK concerns—to the table so others can adapt before the next wave hits.
MEF members: join our next Anti-Fraud Interest Group call to compare notes on ClayRat and related families.
