Key Findings

• Security researchers have uncovered details of a new mobile spyware platform called ZeroDayRAT that is being sold openly on Telegram.

• ZeroDayRAT provides comprehensive remote control capabilities over compromised Android and iOS devices, including real-time surveillance and data theft.

• The malware supports Android versions 5 through 16 and iOS up to version 26, allowing it to target a wide range of mobile devices.

• ZeroDayRAT is distributed through social engineering tactics like smishing, phishing emails, and fake app marketplaces, making it accessible to less skilled attackers.

• The spyware features an intuitive, self-hosted panel that gives operators full visibility into a victim's device, including location, messages, finances, camera, and microphone.

• Capabilities include keylogging, one-time password (OTP) theft, clipboard monitoring, and financial theft via cryptocurrency and mobile wallet integrations.

• Researchers warn that ZeroDayRAT represents a "complete mobile compromise toolkit" that was previously only available to nation-state actors, now being sold commercially.

Background

The ZeroDayRAT mobile spyware platform has been identified as a growing threat, with the developers running dedicated channels for sales, customer support, and regular updates on the Telegram messaging app. This gives buyers a single point of access to a fully operational spyware panel, enabling even unsophisticated attackers to take full control of compromised Android and iOS devices.

Device Compromise

Attacks typically begin with social engineering tactics like smishing (SMS phishing), where the victim receives a text message with a malicious link. Other distribution methods include phishing emails, fake app stores, and links shared over WhatsApp or Telegram. Once the device is infected, the attacker can access a wide range of information and capabilities through the self-hosted spyware panel.

Surveillance and Data Theft

The spyware panel provides the attacker with detailed information about the compromised device, including the model, operating system, battery status, location, SIM and carrier details, app usage, notifications, and a preview of recent SMS messages. This allows the threat actor to profile the victim and gain insights into their contacts, communications, and daily activities.

Financial Theft

ZeroDayRAT also incorporates capabilities for financial theft, including a stealer component that scans for popular cryptocurrency wallets and mobile payment apps. The malware can substitute wallet addresses copied to the clipboard, rerouting transactions to the attacker's own wallet. It also targets online mobile wallet platforms like Apple Pay, Google Pay, PayPal, and the Indian payment app PhonePe.

Conclusion

Researchers warn that ZeroDayRAT represents a significant threat, as it provides a comprehensive mobile compromise toolkit that was previously only accessible to nation-state actors. The cross-platform support, active development, and ease of use make it a growing danger to both individuals and organizations. The emergence of this spyware underscores the evolving sophistication and persistence of mobile-focused cyber threats.

Sources

• https://thehackernews.com/2026/02/new-zerodayrat-mobile-spyware-enables.html

• https://www.itpro.com/technology/artificial-intelligence/this-new-mobile-compromise-toolkit-enables-spyware-surveillance-and-data-theft

• https://gbhackers.com/zerodayrat-exploit-targets-android-ios/

• https://www.linkedin.com/posts/cloud-range_new-mobile-spyware-zerodayrat-targets-android-activity-7427379918688288769-Ffoc

• https://www.certosoftware.com/insights/new-zerodayrat-spyware-can-take-over-iphones-and-androids/