According to Infosecurity Magazine, cybersecurity researchers at Zimperium have identified a dangerous new iteration of the ClayRat Android spyware, first seen in October. The latest version combines SMS control with extensive abuse of Accessibility Services to perform automated actions for near-total device control. Key new functions include a keylogger for PINs and passwords, full screen recording, and deceptive overlays that block users from shutting down the device or deleting the app. Researchers have found more than 700 unique malicious APKs being distributed through over 25 active phishing domains, which impersonate services like YouTube and regional taxi apps. Once installed, the spyware automatically disables the Google Play Store to bypass Play Protect and uses stolen credentials to unlock the device itself.
Why this is so invasive
Here’s the thing: this isn’t just about stealing your photos anymore. By weaponizing Accessibility Services—a feature meant to help users with disabilities—ClayRat basically gets a remote control for your phone. It can simulate taps to stop you from uninstalling it. It can record your screen without you knowing. It even watches your lock screen activity to figure out your PIN or pattern. That’s a whole different level of intrusion. The use of fake system-update prompts and black screen overlays shows the operators are thinking hard about user psychology, not just code. They’re actively working to keep you confused and compliant while they clean you out.
The real corporate risk
Zimperium’s warning about enterprises is dead on, and it’s probably the most important takeaway. We’re all in a “bring your own device” (BYOD) world now, right? So imagine an employee gets tricked by a phishing site pretending to be a car diagnostics tool or a parking app. Suddenly, that one phone becomes a backdoor. The spyware targets notifications and SMS flows—which is where a lot of two-factor authentication codes live. It’s a direct conduit to corporate systems. I think a lot of companies still treat mobile security as an afterthought, focusing on laptops and networks. But your phone is your primary computer now. It holds the keys to everything.
What can you do?
Look, the standard advice applies: be extremely wary of installing apps from outside the official Play Store, even if they’re delivered via a link from Dropbox or a phishing site that looks legit. Never, ever grant Accessibility Services permissions to an app unless you are 1000% sure of its source and purpose. That permission is a red flag. For businesses, Zimperium’s point about needing security that operates at the device level is crucial. If your enterprise mobility strategy is just an email policy, it’s not enough anymore. This kind of malware evolves fast, and basic endpoint protection might not catch it. The scary part is how automated and persistent ClayRat has become. It doesn’t need a human operator watching; it’s programmed to steal, hide, and survive on its own. That makes it a much tougher problem to root out.
