Russian arrest ends ClayRat Android spyware's short but aggressive reign
A suspected developer behind the Android spyware ClayRat has been arrested in Krasnodar, Russia. The malware, designed for espionage and remote device control, was distributed through fake apps and phishing sites before its rapid collapse in late 2025.
ClayRat operated as a subscription-based spyware service, marketed on Telegram channels. Users paid $90 per week, $300 per month, or gave 15% of stolen revenue to access its tools. At its height, the malware had over 600 samples and 50 droppers spreading it within three months.
The spyware could intercept SMS messages, call logs, and contacts. It also recorded screens, took photos, and executed remote commands. Attackers disguised it as legitimate apps, abusing platforms like Telegram, Discord, and the Google Play Store. Security firms Cyfirma and Check Point later confirmed at least nine services were exploited for distribution. Technical flaws hastened ClayRat's downfall. Weak code obfuscation, plaintext passwords, and predictable distribution methods exposed its infrastructure. By December 2025—just two months after emerging—all known command servers went offline. The collapse echoed other short-lived malware, like the banking trojan Gorilla, which failed for similar reasons.
The arrest in Krasnodar marks the end of ClayRat's brief but aggressive campaign. Its shutdown followed a pattern of avoidable security errors that left its infrastructure vulnerable. Authorities and researchers have since documented its methods and rapid decline.
