ZeroDayRAT Spyware Grants Full Access to Mobile Devices

A commercial mobile spyware platform called ZeroDayRAT is being marketed to cybercriminals on Telegram, offering complete remote control over Android and iOS devices with capabilities that rival nation-state surveillance tools. First observed on February 2, 2026, the toolkit supports Android 5 through 16 and iOS up to version 26—including the latest iPhone 17 Pro.

According to iVerify's analysis, "ZeroDayRAT not just steals data but also enables real-time surveillance and financial theft." This represents a dangerous democratization of advanced surveillance technology, making capabilities once limited to well-funded threat actors available to any criminal willing to pay.

What Makes ZeroDayRAT Dangerous

Unlike traditional mobile malware that targets specific apps or credentials, ZeroDayRAT provides comprehensive device compromise through a single dashboard. From that control panel, operators gain real-time surveillance capabilities, data exfiltration tools, and financial theft modules that work across both major mobile platforms.

The platform marks a concerning trend in mobile security threats—sophisticated spyware that previously required nation-state resources to develop is now sold commercially on messaging platforms. Security researchers compare ZeroDayRAT to tools that would have been exclusive to intelligence agencies just a few years ago.

Surveillance and Monitoring Capabilities

ZeroDayRAT's surveillance features provide attackers with comprehensive visibility into victim activity:

Real-Time Tracking and Streaming:

• GPS location tracking with full location history and Google Maps integration
• Live camera feeds from both front and rear cameras
• Microphone access for ambient audio surveillance
• Screen recording to capture exactly what victims see on their devices
• App usage logging with detailed activity timelines

Communication Interception:

• SMS message capture and interception
• One-time password (OTP) interception, effectively bypassing two-factor authentication
• App notification monitoring across banking apps, authenticators, and messaging platforms

The dashboard displays comprehensive device information including model, operating system version, battery status, SIM card details, current location, and lock screen status—giving operators complete situational awareness.

Data Theft and Financial Crime

Beyond surveillance, ZeroDayRAT includes specialized modules for credential harvesting and financial theft:

Keylogging and Credential Capture:

• Comprehensive keylogging that records every keystroke with precise timestamps
• Gesture and unlock pattern recording
• Account enumeration to identify all services logged into on infected devices

Cryptocurrency and Financial Targeting:

• Wallet scanner targeting MetaMask, Trust Wallet, Binance, and Coinbase
• Clipboard address injection attacks that replace copied wallet addresses with attacker-controlled addresses
• Banking app credential harvesting through fake overlay screens
• UPI platform targeting (Google Pay, PhonePe)
• Payment service compromise affecting Apple Pay and PayPal

The financial theft capabilities mirror techniques seen in specialized Android banking trojans, but ZeroDayRAT packages them into a unified surveillance platform that works across both Android and iOS.

How Devices Get Infected

To compromise a device, attackers must persuade victims to install a malicious binary—either an Android APK or an iOS payload. According to SecurityWeek's reporting, smishing (SMS phishing) remains the most common delivery method, with text messages pushing links to fake but convincing applications.

Other infection vectors include:

• Phishing emails with malicious attachments
• Malicious links shared on messaging platforms
• Fake apps distributed outside official app stores
• Social engineering attacks impersonating legitimate services

The malware operates with persistence once installed, surviving device reboots and continuing surveillance operations until manually removed—a process that requires specialized mobile security tools for detection.

Enterprise Risk and Insider Threats

Compromised employee devices pose serious risks for credential theft, account takeover, and data exfiltration. An infected mobile device in an enterprise environment could provide attackers with:

• Corporate email access and credential harvesting
• Two-factor authentication bypass through OTP interception
• VPN and network access credentials
• Access to corporate messaging platforms and internal communications
• Location tracking of employees and facilities

The widespread availability of mobile spyware platforms targeting both Android and iOS makes bring-your-own-device (BYOD) policies increasingly risky without comprehensive mobile endpoint security.

Detection and Protection

Detecting threats like ZeroDayRAT requires mobile EDR capabilities that extend beyond traditional device management, combining on-device detection, mobile forensics, and automated response across both managed and BYOD environments.

For Individual Users:

• Only install applications from official app stores (Google Play Store, Apple App Store)
• Verify app publishers are reputable before installing
• Enable iOS Lockdown Mode for high-risk users (journalists, activists, executives)
• Enable Android Advanced Protection for enhanced security
• Be extremely cautious of unexpected SMS messages with download links
• Regularly review app permissions and revoke unnecessary access

For Enterprise Security:

• Deploy mobile EDR solutions with on-device threat detection capabilities
• Implement mobile forensics to identify indicators of compromise
• Establish automated incident response mechanisms for suspected infections
• Maintain separate network segments for mobile devices
• Require security baselines for devices accessing corporate resources
• Conduct regular security awareness training focused on mobile threats

Organizations should recognize that mobile platforms face sophisticated threats comparable to desktop environments and require equivalent security investment.

Why This Matters

The availability of comprehensive mobile surveillance platforms on Telegram represents a fundamental shift in the mobile threat landscape. Capabilities that once required significant technical expertise and resources are now accessible to any criminal with a few hundred dollars and basic technical skills.

For security professionals, ZeroDayRAT highlights the need to extend enterprise security monitoring to mobile endpoints. The assumption that iOS and Android security models provide sufficient protection no longer holds when adversaries can deploy commercial spyware with this level of sophistication.

The platform's support for the latest operating systems—including iOS 26 and Android 16—demonstrates that attackers are actively maintaining compatibility with current platforms, suggesting ongoing development rather than a one-time release.

As mobile devices increasingly serve as primary computing platforms for both personal and professional use, spyware toolkits like ZeroDayRAT will continue targeting the massive attack surface they represent. Organizations need to treat mobile security with the same rigor applied to traditional endpoints, implementing detection, response, and forensic capabilities tailored to mobile threats.

For more information on mobile security threats and defensive strategies, see our guides on malware detection and prevention and explore our coverage of mobile security incidents.