A new sophisticated mobile spyware platform, dubbed ZeroDayRAT, has emerged, targeting both Android and iOS devices for real-time surveillance and extensive data theft. The platform, first observed on February 2, 2026, is being openly sold via Telegram, offering cybercriminals a cross-platform tool to compromise smartphones. Researchers at iVerify identified ZeroDayRAT as part of a growing market for “ready-to-run” mobile surveillance tools, designed for ease of use by operators with minimal technical expertise.
ZeroDayRAT operates through a browser-based control panel, enabling attackers to remotely monitor and control compromised phones. The capabilities are extensive, including precise GPS tracking, the interception of all device notifications, access to SMS messages (crucially including one-time password or OTP codes), and live feeds from the device’s camera and microphone. Furthermore, it supports screen recording and context-aware keylogging, capturing typed information within specific applications. The spyware can also enumerate registered accounts on the device and is equipped with features for financial theft, such as swapping cryptocurrency wallet addresses in the clipboard and deploying fake banking overlays to steal login credentials.
ZeroDayRAT’s Pervasive Surveillance Capabilities
The functionalities offered by ZeroDayRAT allow for a comprehensive profile of the targeted user. Once installed, operators can view detailed device information, including SIM and carrier data, application usage patterns, and intercepted communications. The accessibility of SMS messages is particularly concerning, as it directly exposes two-factor authentication codes, significantly increasing the risk of account takeovers and direct financial losses for individuals and organizations.
The platform’s integrated dashboard provides operators with an overview of infected devices, which can include their model, operating system version, lock status, country of origin, and a live activity timeline. This comprehensive view facilitates rapid decision-making for targeted attacks and surveillance efforts. Researchers noted instances where the dashboard displayed devices located in both India and the United States, indicating the platform’s global reach.
Infection Mechanisms Employed by ZeroDayRAT
The typical infection chain for ZeroDayRAT begins with social engineering tactics, often involving smishing (SMS phishing) or phishing emails. Attackers send messages or emails that create a sense of urgency, often prompting the recipient to click a link leading to a malicious download page. These pages are designed to mimic legitimate websites, tricking users into downloading what they believe to be a genuine application.
Upon installation, the spyware implant communicates with the operator’s control panel. Delivery vectors can also include links shared through popular messaging apps like WhatsApp or Telegram, or through fake app stores. For Android, the payload is typically an APK file, while iOS devices receive a tailored payload. The iVerify report highlights that after installation, the tool is designed for immediate operational use without requiring the attacker to possess deep technical knowledge of mobile security or exploitation.
Defensive measures against such threats are crucial for both individuals and organizations. Security experts recommend treating mobile devices as endpoints and adhering to best practices such as exclusively using official app stores for downloads and minimizing the sideloading of applications. It is also advised to carefully verify any links received via text messages before clicking them. For enhanced security, users should opt for multi-factor authentication (MFA) methods stronger than SMS-based codes where possible. Regularly rotating passwords, especially after suspected exposure, and investigating sudden permission requests, unusual battery drain, or the presence of unknown accessibility services on a device are also vital steps.
Organizations are urged to implement robust mobile threat monitoring solutions and establish clear processes for triaging suspected spyware infections. Rapid reporting and response can significantly limit the damage caused by such sophisticated mobile spyware campaigns. The ongoing evolution of mobile spyware, as exemplified by ZeroDayRAT, underscores the persistent threat to user privacy and data security in the mobile ecosystem.