Cybersecurity experts have uncovered a new mobile spyware platform called ZeroDayRAT, being marketed on Telegram as a tool for stealing sensitive data and conducting real-time surveillance on Android and iOS devices.
Daniel Kelley, a security researcher at iVerify, explained, “The developer operates dedicated channels for sales, customer support, and updates, giving buyers access to a fully functional spyware panel. This platform goes beyond standard data collection to include real-time monitoring and direct financial theft.”
Targeted Platforms and Distribution
ZeroDayRAT is compatible with Android versions 5 through 16 and iOS versions up to 26. Analysts say it is typically distributed via social engineering campaigns or fake app marketplaces. Buyers receive a malware builder and an online control panel that can be hosted on their own server.
Once a device is infected, operators can access comprehensive information including device model, location, OS version, battery status, SIM and carrier details, app usage, notifications, and even recent SMS previews. GPS coordinates are tracked and plotted on Google Maps, along with the device’s location history, turning the platform into a full-featured surveillance tool.
Accounts and Financial Data Theft
The spyware enumerates all accounts on the device, such as Google, WhatsApp, Instagram, Facebook, Telegram, Amazon, Flipkart, PhonePe, Paytm, and Spotify, along with associated emails or usernames.
ZeroDayRAT also logs keystrokes, SMS messages, and one-time passwords (OTPs), bypassing two-factor authentication. It can activate live camera and microphone feeds, allowing adversaries to observe victims in real time.
For financial theft, the malware includes a stealer module that monitors wallets like MetaMask, Trust Wallet, Binance, and Coinbase, substituting clipboard addresses to redirect cryptocurrency transactions. A separate bank stealer targets mobile payment platforms like Apple Pay, Google Pay, PayPal, and PhonePe, enabling attackers to intercept digital transactions.
Wider Threat Landscape
Experts note that ZeroDayRAT is part of a broader wave of mobile malware campaigns targeting Android and iOS users. Recent examples include:
- Android RATs like Arsink and deVixor using Telegram, Firebase, and phishing sites to steal data and remotely control devices.
- Malicious apps on Google Play masquerading as legitimate utilities, including All Document Reader hosting banking trojans.
- NFC-enabled tap-to-pay malware, such as TX-NFC and X-NFC, tricking users into transmitting card data through compromised apps.
- Romance and WhatsApp scams distributing spyware like GhostChat or GhostPairing.
- Android click fraud malware, such as Phantom, leveraging TensorFlow.js for automated ad interactions and live WebRTC streaming.
According to Group-IB, these attacks have resulted in at least $355,000 in fraudulent transactions from one vendor alone. The report highlights the growing sophistication of mobile malware campaigns, which combine spyware, financial theft, and remote monitoring into commercially available kits.
Kelley emphasized, “What previously required nation-state resources is now accessible to individual buyers. A single operator can monitor location, messages, finances, camera, microphone, and keystrokes, making this a significant threat to both individuals and organizations.”
Found this article interesting? Follow us on X (Twitter) , Facebook, Blue sky and LinkedIn to read more exclusive content we post.
