ClayRat Is Stealing Photos Through Android Cameras — What a Privacy-First Camera App Actually Looks Like
Earlier this spring, security researchers at Zimperium and Cleafy began warning Android users about an aggressive new spyware family called ClayRat. The campaign abuses sideloaded "WhatsApp," "TikTok," "YouTube Plus," and fake browser updates to install a payload that does three things very well: it intercepts SMS messages (including 2FA codes), it scrapes your contact list to spread itself, and — the part that should disturb every Android user — it silently captures photos using the front camera and uploads them to a command-and-control server.
That last detail is what makes ClayRat different from the usual banking-trojan headlines. The camera is not a side feature of this malware. It is a primary exfiltration channel. And the way it does it — quietly, through the same camera APIs every legitimate app uses — surfaces a question most users never ask:
What is your camera app actually doing with your footage?
Most people assume the answer is "nothing." It almost never is. And while ClayRat is the malicious extreme, the everyday "free" camera apps you trust with your phone's lens sit on a spectrum that is uncomfortably close to it.
This is a guide to that spectrum — what ClayRat exploits, why so many legitimate apps are structurally vulnerable to the same class of misuse, and what an honestly privacy-first camera app actually looks like in 2026.
Quick answer: Background Camera RemoteStream is a local-first Android camera built with the opposite of ClayRat's threat model: no account, no cloud upload, no third-party SDKs, and no telemetry. Footage stays on your device unless you explicitly stream it. We walk through why that architecture matters below.
What ClayRat Actually Does With Your Camera
ClayRat is delivered through phishing channels — Telegram groups, fake "official" download pages, and SMS links that pose as social-app updates. Once the user grants the dropper the permissions it asks for (typically RECEIVE_SMS, READ_CONTACTS, CAMERA, and SYSTEM_ALERT_WINDOW), the payload sets itself as the default SMS handler and begins working in the background.
The camera-side behavior is the part security writeups have been the most explicit about. After installation, ClayRat:
-
Initializes a hidden camera session using the same
CameraManagerandCameraDeviceAPIs that any legitimate app uses. - Runs the front camera in a zero-byte preview surface so no preview ever appears on screen.
- Triggers a still capture on a timer or on a remote command from its C2 server.
- Encodes the JPEG and POSTs it — along with your contact list and SMS history — to attacker-controlled infrastructure.
There is no "Did you mean to take this photo?" dialog. There is no shutter sound (ClayRat suppresses it). The user sees nothing. The only outward sign on most devices is a brief green camera-in-use indicator in the status bar, which on Android 12+ is the operating system's own protection — not anything the app permits.
That last point is important. Android's camera permission is binary and broad. Once you grant it, the app can open the camera whenever it wants, in the background, without further consent. The system can't tell whether the app is recording a baby monitor feed, capturing a QR code, or quietly uploading your face to a foreign server every fifteen minutes.
ClayRat is the criminal version of this. The rest of the spectrum — the legitimate version — is more interesting.
Why "Free" Camera Apps Are Structurally Vulnerable
Open the Play Store right now and type "camera" into the search bar. The top free results will all share a few traits: an account requirement, a generous list of integrated third-party SDKs (analytics, advertising, "user identity"), some kind of cloud sync, and a privacy policy that — if you actually read it — gives the app broad rights to process your media and metadata.
These apps are not malware. They are not trying to do what ClayRat does. But the architectural pieces that ClayRat needs to operate are already present, by design, in most of them:
- Camera-permission-granted, all the time. A camera app obviously needs the camera permission. So the gating layer that should be the user's primary defense is wide open.
- A network stack with constant outbound connections. Analytics pings, ad calls, "crash reporting," license checks. The app is talking to many servers many times per minute. One more upload is invisible.
- Cloud-account architecture. Once your camera is paired to a logged-in cloud identity, the question of "where does this footage go?" has a default answer that isn't "your phone."
- Bundled SDKs you can't audit. A typical free Android app pulls in 20–40 third-party libraries. Each one is code running in the same process as your camera, often with the same permissions, written by people you'll never meet, and updated without your knowledge.
This is why the response to ClayRat shouldn't just be "don't sideload apps." That advice is correct but incomplete. The deeper question is: why does my legitimate, Play-Store-installed camera app need a cloud account, an advertising SDK, and four analytics endpoints to take a video? It doesn't. Those things are added to monetize you. They also happen to be the exact infrastructure pattern an attacker needs to exfiltrate your footage.
A privacy-first camera app deletes that infrastructure on purpose.
What a Privacy-First Camera App Actually Looks Like
Background Camera RemoteStream was built specifically as a counter-example to the architecture above. The app records video — including with the screen completely off, using a foreground service — and exposes a built-in web server so you can view the live feed from any browser on your local Wi-Fi. None of that requires an account. None of it sends footage anywhere unless you explicitly tell it to.
Concretely, here is how the architecture differs from what ClayRat depends on:
1. No account, ever. The app does not ask for an email address, phone number, or social login. There is no "user." There is no server-side identity for an attacker to compromise or for a subpoena to attach to. You install the app and it works.
2. No cloud upload by default. Captured video is written to local storage. Files do not auto-sync, do not auto-backup, and do not get processed by any remote service. Sharing a clip is a deliberate action you take — not something that happens silently in the background.
3. The web server is local-only. When you start the remote stream, the app launches a small Ktor-powered HTTP server bound to your phone's LAN address. Anyone on your home Wi-Fi can view the feed by typing the address into a browser. No one outside your network can reach it. There is no relay server, no NAT-traversal middleman, no hosted endpoint that a breach could expose.
4. No third-party SDKs. No analytics SDK. No ad SDK. No "crash reporting" tied to a vendor account. No identity SDK. The dependency tree is small and visible — the exact opposite of the "20+ libraries running in your camera process" pattern most free Android apps ship.
5. No telemetry. The app does not call home. There is no "anonymous usage data" being shipped to a dashboard somewhere. If you want to know what the app is doing, the answer is in front of you on the screen.
6. Permissions match the actual feature. The app asks for camera and microphone for recording, foreground-service for screen-off operation, and (only if you start the remote stream) network access. It does not ask for READ_CONTACTS, READ_SMS, READ_CALL_LOG, or any of the surveillance-oriented permissions that legitimate camera apps have no reason to need but that most of them request anyway "for personalization."
The contrast with the ClayRat architecture is direct. ClayRat uses cloud upload to exfiltrate your photos; a privacy-first camera doesn't have a cloud. ClayRat uses remote command-and-control; a privacy-first camera has no server it talks to. ClayRat exploits the trust model around granted permissions; a privacy-first camera asks for the smallest surface that still does the job.
How to Audit Any Camera App on Your Phone Right Now
You don't need to take a developer's word for any of this — including ours. Here is a five-minute audit you can run on every camera app installed on your Android device, today.
1. Check Settings → Apps → [the app] → Permissions.
A pure camera app needs Camera, optionally Microphone, optionally Storage. If it has Contacts, SMS, Call Logs, or Location-Always, ask why. There are very few legitimate reasons.
2. Check Settings → Apps → [the app] → Mobile data & Wi-Fi → Data usage.
A local-only camera app should show negligible network usage when you are not streaming. If it is moving meaningful data while you're not using it, it's talking to someone.
3. Read the Play Store "Data safety" section.
Google now requires apps to disclose what data they collect and share. "Personal info, App activity, App info and performance, Device or other IDs" being marked as "shared with third parties" is a yellow flag for any camera app. "Photos and videos" being collected is the one to scrutinize hardest.
4. Look at the privacy policy.
Search for the words "third party," "advertising," "analytics," and "cloud." The number of hits tells you something about the architecture even if you don't read the surrounding paragraphs.
5. Check for an account requirement.
Open the app fresh. If it cannot do its primary job — record a video — without you signing into something, it is structurally a cloud product wearing a camera's clothes.
We did this audit ourselves on the apps in our comparison of free security camera apps and free nanny cam apps. Almost every popular option failed at least two of the five checks.
What ClayRat Should Change About How You Think About Camera Apps
A few honest takeaways from the campaign:
Sideloading is the headline, not the lesson. Yes, ClayRat is delivered via fake APKs from outside the Play Store, and yes, you should not sideload random apps. But the deeper lesson is that the architecture ClayRat exploits — broad permissions, persistent network access, cloud-attached identity — is also the architecture of most "legitimate" free camera apps. Sideloading made the attacker's job easier; it didn't invent the attack surface.
The camera permission is overpowered. Android could do better here. A future permission model that distinguishes "may capture in the foreground while the user is interacting" from "may capture in the background, with no preview, on a timer, while the screen is off" would close most of the ClayRat-style misuse without breaking any legitimate use case. Until that exists, the user-side defense is to install fewer apps with camera access and to prefer ones with simpler architectures.
"Free" has a price, and sometimes that price is the threat model. A camera app with no account, no cloud, no SDKs, and no telemetry — like Background Camera RemoteStream — has very few places where an attacker, an insider, a breach, or a subpoena can reach your footage. A camera app with all of those things has many. ClayRat is what happens at the criminal end of that gradient. The everyday end is just less dramatic.
Old phones are an asset. Possibly the most underrated takeaway: a drawer-phone running a single, audited, local-first camera app is a meaningfully better security posture than a "smart" cloud camera bought new. You already own one. Repurposing it costs nothing. Our DIY home security guide walks through the setup end-to-end.
Bottom Line
ClayRat is not the last malware family that will use your Android camera against you. It is the most prominent one this season. The right reaction is not paranoia — it is a clearer picture of what your existing camera apps are architecturally capable of, and a preference for the small, boring ones that don't need an account, a cloud, a vendor SDK, or a telemetry pipeline to do their job.
If you want a camera and recording app built on that principle, Background Camera RemoteStream is a free, local-first option from a one-person developer (Super Funicular LLC). No account, no cloud, no third-party SDKs, no telemetry. Install it, lock the screen, and the footage stays where you put it.
That's the whole pitch. It's also, increasingly, the whole threat model.
Related Reading
- Best Free Nanny Cam Apps for Android in 2026 (Privacy-First, No Subscriptions) — comparison of nanny cam apps with privacy and architecture as the main axes
- Best Free Security Camera Apps for Android in 2026 — broader security-camera comparison with the same audit framework applied
- Turn Your Old Android Phone Into a Free Home Security System (2026 Guide) — step-by-step DIY guide using a phone you already own
Built by a solo developer at Super Funicular LLC. No tracking, no telemetry, no third-party SDKs. Questions about the architecture or the audit? Drop a comment.
Top comments (0)