Breaking Down ZeroDayRAT - New Spyware Targeting Android and iOS
Summary:
ZeroDayRAT is a newly identified mobile spyware platform being sold openly on Telegram, with activity first observed in early February. Marketed as a fully managed service, it provides buyers with a centralized web-based control panel, dedicated support channels, and regular updates, allowing even non-technical operators to conduct advanced mobile surveillance and theft. The platform supports a broad range of Android and iOS versions and relies primarily on social engineering, such as smishing, phishing, and malicious app downloads, to infect devices. Once installed, ZeroDayRAT delivers comprehensive access to a victim’s phone, including detailed device profiling, message and notification interception, GPS tracking with location history, account enumeration, keylogging, and live camera, microphone, and screen monitoring. It extends beyond traditional spyware capabilities by integrating banking and cryptocurrency theft features, enabling operators to bypass MFA, hijack accounts, and directly steal funds from both financial apps and crypto wallets, all from a single browser-based interface.
Security Officer Comments:
Efforts to disrupt ZeroDayRAT are complicated by its open sale on Telegram, active maintenance by a dedicated developer, and the presence of support and update channels that sustain ongoing use. The impact of ZeroDayRAT is significant for both individuals and organizations, as it enables near-total compromise of mobile devices. The platform enables actors to bypass SMS-based multi-factor authentication, facilitate large-scale account takeovers, and direct theft from both banking and cryptocurrency wallets. In enterprise environments, a single infected employee device can expose corporate credentials, internal communications, and sensitive business data, particularly in BYOD or hybrid work scenarios. This access provides a foothold for lateral movement, targeted social engineering, and escalation into higher-value systems, effectively turning compromised mobile devices into a reliable pivot point for broader network intrusion and data exfiltration.
Suggested Corrections:
https://iverify.io/blog/breaking-down-zerodayrat---new-spyware-targeting-android-and-ios
ZeroDayRAT is a newly identified mobile spyware platform being sold openly on Telegram, with activity first observed in early February. Marketed as a fully managed service, it provides buyers with a centralized web-based control panel, dedicated support channels, and regular updates, allowing even non-technical operators to conduct advanced mobile surveillance and theft. The platform supports a broad range of Android and iOS versions and relies primarily on social engineering, such as smishing, phishing, and malicious app downloads, to infect devices. Once installed, ZeroDayRAT delivers comprehensive access to a victim’s phone, including detailed device profiling, message and notification interception, GPS tracking with location history, account enumeration, keylogging, and live camera, microphone, and screen monitoring. It extends beyond traditional spyware capabilities by integrating banking and cryptocurrency theft features, enabling operators to bypass MFA, hijack accounts, and directly steal funds from both financial apps and crypto wallets, all from a single browser-based interface.
Security Officer Comments:
Efforts to disrupt ZeroDayRAT are complicated by its open sale on Telegram, active maintenance by a dedicated developer, and the presence of support and update channels that sustain ongoing use. The impact of ZeroDayRAT is significant for both individuals and organizations, as it enables near-total compromise of mobile devices. The platform enables actors to bypass SMS-based multi-factor authentication, facilitate large-scale account takeovers, and direct theft from both banking and cryptocurrency wallets. In enterprise environments, a single infected employee device can expose corporate credentials, internal communications, and sensitive business data, particularly in BYOD or hybrid work scenarios. This access provides a foothold for lateral movement, targeted social engineering, and escalation into higher-value systems, effectively turning compromised mobile devices into a reliable pivot point for broader network intrusion and data exfiltration.
Suggested Corrections:
- Only install apps from official app stores and avoid downloading APKs, iOS payloads, or apps from unverified websites or messaging links, as these are common infection vectors for spyware like ZeroDayRAT.
- Be cautious of SMS, email, or messaging links and avoid clicking on unexpected or suspicious messages, especially those prompting downloads or urgent actions
- Use phishing-resistant MFA instead of SMS codes.
- Keep mobile OS and apps updated with the latest security patches.
https://iverify.io/blog/breaking-down-zerodayrat---new-spyware-targeting-android-and-ios