“In many ways, mobile devices have taken us back a decade,” noted John Bambenek from Bambenek Consulting. “In email, we have some protection against compromised users sending phishing lures. However, this doesn’t really exist in SMS. The result is that we artificially trust messages from our contacts and that they may include installing apps from outside Google Play.”
Weaponizing trust from Telegram to Text threads
Zimperium’s report, shared with CSO ahead of its publication on Thursday, shows that ClayRat thrives on trust loops. Attackers use polished phishing pages and Telegram “update channels” to host fake apps, complete with forged testimonials and inflated download counts. Once granted SMS-handling privileges, the spyware weaponized that trust, sending “Be the first to know!” texts with malicious links to every contact on an infected phone.
“This type of RAT technology, which allows victim devices to send authentic-looking messages or even make calls, can be used to bypass MFA or engage in sophisticated impersonation attacks,” Bambenek added.
