ZeroDayRAT: A New Cross-Platform Mobile Spyware

ZeroDayRAT is a newly identified cross-platform mobile spyware platform being openly sold via Telegram, first observed on February 2, 2026. It provides attackers with full remote control of infected Android (5–16) and iOS (up to iOS 26, including iPhone 17 Pro) devices through a web-based control panel. The malware enables comprehensive surveillance including GPS tracking, message interception, notification harvesting, live camera/microphone access, and keylogging, alongside direct financial theft targeting banking and cryptocurrency apps.

Severity: High

Threat Details

1. Infection Vectors

• Primary method: Smishing (SMS phishing) with malicious APK (Android) or iOS payload.
• Additional vectors: phishing emails, fake app stores, WhatsApp/Telegram-delivered links.
• Victims are tricked into installing what appears to be a legitimate app.

2. Device Profiling & Data Collection

Once installed, ZeroDayRAT provides operators with:

• Device model, OS version, battery status, SIM/carrier details
• App usage statistics and activity timelines
• Recent SMS messages (including banking messages)
• Intercepted notifications from apps (WhatsApp, Instagram, Telegram, etc.)
• Full account enumeration (Google, Facebook, Amazon, Paytm, Spotify, etc.)
• Full SMS inbox access, including OTP interception (bypassing SMS-based 2FA)

3. Location & Activity Monitoring

• Real-time GPS tracking with location history plotted on Google Maps
• Passive visibility into all phone notifications
• Detailed timeline of user activity

This enables persistent monitoring without requiring the attacker to actively interact with apps.

4. Live Surveillance Capabilities

The platform moves beyond passive monitoring to real-time surveillance:

• Live camera streaming (front/back)
• Screen recording
• Live microphone access
• Full keylogging with timestamps and app context
• Live screen preview synchronized with keystroke capture

This effectively provides attackers with physical-level access to the device.

5. Financial & Cryptocurrency Theft

ZeroDayRAT includes dedicated stealer modules:

• Crypto Stealer
  • Targets MetaMask, Trust Wallet, Binance, Coinbase
  • Logs wallet IDs and balances
  • Performs clipboard address injection to redirect transfers
• Banking Stealer
  • Targets banking apps and UPI platforms (PhonePe, Google Pay)
  • Also targets Apple Pay and PayPal
  • Uses overlay attacks to capture credentials

This enables both traditional banking fraud & cryptocurrency theft from the same control panel.

Recommendations

1. Ensure your devices run latest Android security patches and latest iOS versions.
2. Regularly check the “Privacy” or “Security” settings on your device. Revoke any permissions that aren’t strictly necessary for an app’s core function.
3. If you notice signs of infection (unusual battery drain, random reboots, or overheating), a factory reset is often the most effective way to clear a RAT.
4. If an infection is suspected, change passwords for high-value accounts (Banking, Crypto, Google/Apple ID) from a different, clean device.
5. On Android devices disable “Install from Unknown Sources”.
6. Never click links in SMS, WhatsApp, or Telegram messages from unknown senders.
7. Since ZeroDayRAT can intercept SMS-based OTPs, switch to Hardware Security Keys or Authenticator Apps which are harder for a RAT to intercept than SMS.
8. Deploy advanced mobile threat detection solution that monitors for behavioral indicators of compromise, such as unusual telemetry or unauthorized process execution.
9. Bar any device from accessing corporate email, Slack, or cloud data if it is rooted/jailbroken or running an outdated OS.

Source:

• https://iverify.io/blog/breaking-down-zerodayrat—new-spyware-targeting-android-and-ios

Enjoyed reading this Threat Intelligence Advisory? Stay updated with our latest exclusive content by following us on Twitter and LinkedIn

No related posts found.