The ClayRat malware stole SMS messages and secretly took cameras.

The ClayRat malware stole SMS messages and used a camera to secretly film the Android mobile owner.

In the area of malware risk, it is called that Android users are in a state of "nonstop" from the emergence of new malware, increasing the risk every day, as in this news.

According to a report by the website, Cyber Security News has mentioned the detection of a malware distribution campaign of the victim's machine control type, or a new RAT (Remote Access Trojan) called ClayRat, focused on tackling a group of Android users. This campaign is a new malware subspecies of such malware. The first version of ClayRat's malware was detected in October by a research team from zLabs, the developer of artificial intelligence malware detection tools, or AI, before it was detected by a research team from another anti-malware tool, Zimposium. According to the recent epidemic research team, the malware has already spread around the world.

In order to log in to the victim's machine, the malware will impersonate famous applications such as Youtube, messaging applications, as well as local Russian applications such as taxi services and parking rental services. It is expected that the malware may originate from Russia. These applications will spread through phishing fraudulent websites. The research team has detected up to 25 domains associated with the campaign. In addition, hackers behind it have also used cloud file deposit services such as Dropbox to spread the malware even more widely.

After the malware has entered the victim's machine, during installation, access permissions, short messages (SMS or Short Message Service), and Accessibility Modes are requested to help hackers gain control of the machine. The first step of installation is not the real ClayRat malware, but the Dropper malware created to infiltrate the machine and evade the detection system. The Dropper itself, after entering the machine, decrypts the real payload file encrypted with AES / CBC encryption. By using the Decryption Key embedded during Runtime, it is even more difficult to detect. After successfully installing it, the malware will request access to the above mentioned and start working immediately.

This Accessibility Mode allows malware to disable protection systems such as Google Play Protect and Google Play Store without the victim knowing it. In addition, the malware secretly stores data between lock screens to store data for unlocking screens such as pattern, PIN, and unlock passwords. These data are stored in key SharedPreferences called lock _ password _ storage. These data will be used to unlock the screen using the auto _ unlock command.

In addition to this ability, the malware has the ability to access the camera on the victim's mobile phone to be used to sneak pictures of the victim. With the MediaProjection API, SMS theft from using the requested access permissions in the installation phase, access to dial-in and out records, create a fake notification screen to capture sensitive information that the victim answers to fake notifications.

# Recap 2025 # Take care of yourself # Open budget # Includes IT matters

# Cybersecurity