A new commercial mobile spyware platform dubbed ZeroDayRAT has surfaced on underground marketplaces in Telegram, offering cybercriminals full remote access to compromised Android and iOS devices. According to mobile security researchers at iVerify, the malware combines the capabilities of a classic remote access trojan (RAT), a banking trojan and a cryptocurrency stealer into a single toolkit.
ZeroDayRAT capabilities: full remote control over mobile devices
Advertised to support Android versions 5 through 16 and iOS up to version 26, ZeroDayRAT is marketed as a turnkey “mobile surveillance as a service” platform. Buyers gain access to a web-based control panel that displays each infected device, including device model, OS version, battery level, SIM data, country, and online/offline status, and allows issuing commands in a few clicks.
Such centralized operator dashboards have become a standard feature of modern mobile RATs (Remote Access Trojans), lowering the barrier to entry for less technically skilled attackers and enabling large-scale campaigns with hundreds or thousands of infected phones managed from a single interface.
Surveillance, data theft and real‑time monitoring modules
User activity tracking and profiling
Once installed, ZeroDayRAT logs nearly all user activity on the device. It monitors app usage, builds a behavioral profile and activity timeline, analyzes SMS history and aggregates notifications. The panel presents operators with a summary of registered accounts on the device, including associated email addresses and identifiers.
These datasets are valuable for credential stuffing and brute-force attacks, where stolen usernames and passwords are automatically tested across multiple services such as email, social networks and fintech apps. Industry reports, including Verizon’s annual Data Breach Investigations Report, consistently show that password reuse remains a major driver of successful account takeovers.
Location tracking and movement history
With access to the device’s GPS, ZeroDayRAT continuously tracks the victim’s location, displaying coordinates on Google Maps and storing a complete history of movements. For employees with access to sensitive facilities or confidential meetings, these traces can reveal business structures, partners and routines, increasing the risk of targeted physical and cyberattacks.
Remote camera, microphone and screen access
The spyware allows operators to silently activate front and rear cameras, turn on the microphone and stream audio and video in real time. In addition, a screen recording function lets attackers capture information entered into applications, even when it never appears in logs or the clipboard, such as one-time passwords or confidential chats.
Banking trojan and cryptocurrency theft functionality
SMS interception and OTP bypass
When granted SMS permissions, ZeroDayRAT intercepts incoming one-time passwords (OTP) used by banks, fintech platforms and messaging apps for login and transaction confirmation. This enables attackers to bypass SMS-based two-factor authentication (2FA) and to send SMS from the victim’s number, making fraudulent activity appear legitimate to recipients.
Keylogger and device unlock compromise
The malware includes a built-in keylogger capturing all user input: passwords, PINs, device unlock patterns and gesture-based locks. This does not just expose individual app logins — it can allow threat actors to fully unlock the device, complicating incident response, forensic analysis and secure data wipe attempts.
Targeting cryptocurrency wallets and clipboard hijacking
A dedicated module focuses on cryptocurrency theft. ZeroDayRAT scans the device for popular wallet applications such as MetaMask, Trust Wallet, Binance and Coinbase, attempts to exfiltrate wallet identifiers and balance information, and performs clipboard address replacement. When a user copies a wallet address, the malware silently substitutes it with an attacker-controlled address, redirecting outgoing transfers.
Banking overlays for stealing payment data
The banking component targets mobile banking apps, UPI platforms like Google Pay and PhonePe, and payment services including Apple Pay and PayPal. ZeroDayRAT uses overlay attacks: a fake login or payment screen is displayed on top of the legitimate app, visually mimicking the original interface. Victims unknowingly enter credentials, card data or PINs into this overlay, which are then transmitted in real time to the operator.
Risks for enterprises and individuals
While the exact distribution methods of ZeroDayRAT remain unclear, researchers stress that it functions as a full-spectrum compromise toolkit for mobile devices. In corporate environments, a single infected employee device can expose business email, confidential documents, VPN credentials, MFA app secrets and password manager data, creating a pathway into internal networks and cloud services.
For private users, the impact is equally severe: loss of privacy through covert recording and location tracking, direct financial loss via banking and crypto theft, and large-scale account takeovers in social networks and messaging platforms. Compromised accounts are frequently used as launchpads for further attacks against contacts through phishing and social engineering.
How to protect against ZeroDayRAT and similar mobile malware
Because ZeroDayRAT claims compatibility with a wide range of Android and iOS versions, reducing the mobile attack surface is essential:
1. Install apps only from official stores. Avoid third-party marketplaces, pirated APKs, “cracked” software and installation links received via messengers such as Telegram.
2. Strictly control app permissions. Review access to camera, microphone, SMS, screen capture and accessibility services. Unknown apps requesting broad or sensitive permissions should be treated as a red flag.
3. Keep OS and apps updated. Regular security patches close vulnerabilities that mobile malware can exploit for stealthy installation and privilege escalation.
4. Use strong, phishing‑resistant multi-factor authentication. Prefer authenticator apps or hardware security keys over SMS codes wherever possible to reduce the value of OTP interception.
5. Deploy Mobile Threat Defense (MTD) and MDM in organizations. Enterprise-grade mobile security and mobile device management solutions help enforce security policies, detect rooted or compromised devices and block them from accessing corporate resources.
Mobile malware like ZeroDayRAT confirms that smartphones are now primary attack targets rather than secondary channels. Investing in mobile security hygiene, user awareness and dedicated protection technologies significantly lowers the likelihood that a personal or corporate device will be turned into a remote surveillance tool and a gateway for financial theft.
