Return of ClayRat Expanded Features and Techniques

[carlospolop]

🤖 Automated Content Update

This PR was automatically generated by the HackTricks News Bot based on a technical blog post.

📝 Source Information

• Blog URL: https://zimperium.com/blog/return-of-clayrat-expanded-features-and-techniques
• Blog Title: Return of ClayRat: Expanded Features and Techniques
• Suggested Section: 📱 Mobile Pentesting → Android Applications Pentesting (new subpage such as "Abusing Accessibility, MediaProjection & Notifications for Full Device Takeover" or a subsection under existing Android privilege escalation/abuse topics)

🎯 Content Summary

This blog provides a detailed technical analysis of ClayRat Android spyware v3.0.8, focusing on how it achieves full device takeover by abusing Android’s Default SMS privileges and Accessibility Services, combined with a packed/encrypted dropper, screen recording, remote desktop, notification abuse, overlays, and a rich WebSocket-based C2 command set.

Distribution & Masquerading

ClayRat is distributed via:

• Phishing...

  🔧 Technical Details

  Abusing Accessibility for Lock-Screen Credential Theft & Auto-Unlock
  The main trick is to register a high-privilege Android Accessibility Service that listens to SystemUI/Keyguard events and reconstructs lock-screen secrets. For PINs, track the ordered sequence of digit button presses until entry completes. For passwords, monitor text-change events in the password field and concatenate the characters. For patterns, record the grid node indices or touch coordinates forming the pattern path. Store the captured secret in SharedPreferences under a key like lock_password_storage (with type and timestamp). Later, when a C2 command such as auto_unlock arrives, replay the stored PIN/password/pattern via Accessibility gestures (taps/swipes) to automatically unlock the device, giving attackers physical-equivalent access without OS exploits.

  
  

  MediaProjection-Based Screen Streaming & Remote Desktop ...

  🤖 Agent Actions

  Summary:

  • Extended the Android Accessibility abuse guide with a “Packed Accessibility droppers” section covering ClayRat’s AES/CBC-encrypted payload staging and dynamic Dex loading workflow.
  • Expanded the abuse patterns to document ClayRat-style overlay templates, MediaProjection/WebSocket remote desktop commands, lock-screen credential theft with auto_unlock, notification phishing/harvesting, SMS/telephony control, and discovery/proxy commands plus available IoCs.
  • Updated the references to cite the ClayRat analysis blog and the associated IOC repository alongside the existing sources.

  Tests: Not run (not applicable).

  ---

  This PR was automatically created by the HackTricks Feed Bot. Please review the changes carefully before merging.

[carlospolop]

🔗 Additional Context

Original Blog Post: https://zimperium.com/blog/return-of-clayrat-expanded-features-and-techniques

Content Categories: Based on the analysis, this content was categorized under "📱 Mobile Pentesting → Android Applications Pentesting (new subpage such as "Abusing Accessibility, MediaProjection & Notifications for Full Device Takeover" or a subsection under existing Android privilege escalation/abuse topics)".

Repository Maintenance:

• MD Files Formatting: 914 files processed

Review Notes:

• This content was automatically processed and may require human review for accuracy
• Check that the placement within the repository structure is appropriate
• Verify that all technical details are correct and up-to-date
• All .md files have been checked for proper formatting (headers, includes, etc.)

Bot Version: HackTricks News Bot v1.0