Cybersecurity researchers have uncovered ZeroDayRAT, a sophisticated mobile spyware platform being sold on Telegram that combines surveillance capabilities with financial theft tools, targeting both Android and iOS devices across 50+ countries.
Cybersecurity researchers have uncovered a sophisticated new mobile spyware platform dubbed ZeroDayRAT that's being actively marketed on Telegram, combining real-time surveillance capabilities with financial theft tools to target both Android and iOS devices.
A Complete Mobile Compromise Toolkit
According to Daniel Kelley, security researcher at iVerify, ZeroDayRAT represents "a complete mobile compromise toolkit, the kind that used to require nation-state investment or bespoke exploit development, now sold on Telegram."
The platform goes beyond typical data collection into real-time surveillance and direct financial theft. A single buyer gets full access to a target's location, messages, finances, camera, microphone, and keystrokes from a browser tab.
Key capabilities include:
- Cross-platform support: Android 5-16 and iOS up to 26
- Real-time surveillance: Live camera streaming and microphone feeds
- Location tracking: GPS coordinates plotted on Google Maps with historical data
- Account harvesting: Enumerates credentials for 20+ services including Google, WhatsApp, Instagram, Facebook, Telegram, Amazon, and banking apps
- Financial theft: Stealer component that substitutes wallet addresses and targets mobile payment platforms
- Keystroke logging: Captures all typed input including OTPs
Distribution and Technical Architecture
The malware is distributed via social engineering or fake app marketplaces. Buyers receive a builder tool and an online panel they can set up on their own server. Once installed, the malware provides operators with comprehensive device information including model, location, OS version, battery status, SIM details, app usage patterns, and notification data.
Financial Theft Capabilities
ZeroDayRAT incorporates sophisticated financial theft mechanisms:
Cryptocurrency wallet theft: Scans for MetaMask, Trust Wallet, Binance, and Coinbase apps, then substitutes copied wallet addresses to reroute transactions.
Mobile payment targeting: Includes a bank stealer module targeting Apple Pay, Google Pay, PayPal, and PhonePe (an Indian digital payments platform using UPI protocol).
The Broader Mobile Malware Landscape
The emergence of ZeroDayRAT comes amid a surge in mobile-focused cyber threats. Recent campaigns have exploited various attack vectors:
Social Engineering and Fake Apps
- Hugging Face hosting: Android RAT campaign using the AI platform to distribute malicious APKs
- Google Play infiltration: All Document Reader app with 50,000+ downloads acting as Anatsa banking trojan installer
- Government impersonation: Indian users targeted through WhatsApp with malware that steals data and runs crypto miners
Advanced Attack Techniques
- NFC relay attacks: New Ghost Tap technique exploiting tap-to-pay functionality, with $355,000 in fraudulent transactions recorded
- Enterprise provisioning abuse: iOS attacks leveraging organizational app installation capabilities
- AI-powered click fraud: Phantom trojan using TensorFlow.js to automate ad interactions
Regional Targeting
- Arsink RAT: Concentrated in Egypt, Indonesia, Iraq, Yemen, and Türkiye using Google Apps Script and Firebase
- deVixor trojan: Targeting Iranian users through automotive phishing sites with ransomware capabilities
- GhostChat: Pakistan-focused spyware using romance scam tactics
Security Implications
The commercialization of sophisticated spyware like ZeroDayRAT represents a significant escalation in mobile threats. By marketing tools that combine surveillance, data theft, and financial fraud capabilities, threat actors are lowering the barrier of entry for less skilled attackers while increasing the potential impact on victims.
Organizations and individuals should be particularly vigilant about:
- App installation from unofficial sources
- Social engineering attempts via messaging platforms
- Unusual device behavior or battery drain
- Unauthorized access to financial accounts
- Requests for accessibility permissions
The cross-platform nature and active development of ZeroDayRAT make it a growing threat to both individuals and organizations, highlighting the evolving sophistication and persistence of mobile-focused cyber threats in 2025.
Comments
Please log in or register to join the discussion