A new commercial mobile spyware platform called ZeroDayRAT is being sold to cybercriminals on Telegram, offering complete remote control over Android and iOS devices including real-time surveillance, financial theft capabilities, and access to cameras and microphones.
A new commercial mobile spyware platform dubbed ZeroDayRAT is being advertised to cybercriminals on Telegram as a tool that provides full remote control over compromised Android and iOS devices. The malware provides buyers with a full-featured panel for managing infected devices, reportedly supporting Android 5 through 16 and iOS up to version 26 latest.
Researchers at mobile threat hunting company iVerify say that ZeroDayRAT doesn't just steal data but also enables real-time surveillance and financial theft. The dashboard shows compromised devices and information about the model, operating system version, battery status, SIM details, country, and lock state.
Dashboard overview Source: iVerify
The malware can log app usage, activity timelines, SMS message exchanges, and provides an overview to the operator. Other tracking tabs on the dashboard display all received notifications, and also registered accounts on the infected device, showing email/user ID, potentially enabling brute-forcing and credential stuffing.
If GPS access is secured, the malware can also track the victim in real time and draw their current position on a Google Maps view, with full location history.
Tracking the victim in real time Source: iVerify
Apart from passive data logging, ZeroDayRAT also supports active hands-on operations, such as activating the device's cameras (front and rear) and microphone to gain access to a live media feed, or recording the victim's screen to expose other secrets.
Accessing camera and microphone feeds Source: iVerify
Moreover, if the SMS access permission is secured, the malware can capture incoming one-time passwords (OTPs), enabling 2FA bypass, and also send SMS from the victim's device. The malware developer also included a keylogging module that can capture user input, like passwords, gestures, or screen unlock patterns.
Further financial theft is enabled through a cryptocurrency stealer module. The researchers found that the component activates a wallet app scanner looking for MetaMask, Trust Wallet, Binance, and Coinbase, logs wallet IDs and balances, and attempts clipboard address injection, replacing copied wallet addresses with attacker-controlled ones.
The bank stealer targets online banking apps, UPI platforms like Google Pay and PhonePe, and payment services such as Apple Pay and PayPal. Credential theft occurs by overlaying fake screens.
The crypto and bank stealer modules Source: iVerify
iVerify does not detail how the malware is delivered but say that ZeroDayRAT "is a complete mobile compromise toolkit." The researchers warn that a compromised employee device could lead to enterprise breaches. For an individual, a ZeroDayRAT compromise could expose their privacy and lead to financial losses.
Users are recommended to only trust the official app stores, Google Play on Android and Apple Store on iOS, and install apps from reputable publishers. High-risk users should consider enabling Lockdown Mode on iOS and Advanced Protection on Android.
Comments
Please log in or register to join the discussion