A newly advertised commercial mobile spyware platform known as ZeroDayRAT is being promoted within cybercriminal communities as a tool capable of delivering full remote access to compromised Android and iOS devices. Marketed via underground channels on Telegram, the malware exemplifies the growing sophistication and commercialization of mobile surveillance threats.
ZeroDayRAT positioned as a full mobile compromise toolkit
According to researchers at iVerify, ZeroDayRAT goes far beyond basic data theft. The platform is designed to provide real-time surveillance, credential harvesting, and direct financial theft, positioning it as an end-to-end mobile compromise framework.
The operators advertise support for Android versions 5 through 16 and iOS devices up to the latest releases, significantly expanding the potential victim pool. Buyers are given access to a centralized management panel that allows full visibility and control over infected devices.
Operator dashboard and device intelligence
The ZeroDayRAT control panel displays detailed information about each compromised device, including hardware model, operating system version, battery level, SIM data, geographic location, and lock status. This intelligence enables attackers to prioritize high-value targets and tailor follow-on actions.
Activity monitoring features allow operators to track application usage, user timelines, and SMS message exchanges. Additional dashboard sections list all received notifications and registered accounts on the device, including associated email addresses or user IDs. This information can be leveraged for downstream attacks such as credential stuffing and account takeover attempts.
Location tracking and live surveillance capabilities
When granted location permissions, ZeroDayRAT enables continuous GPS tracking. Operators can view a victim’s real-time location and historical movement data plotted on a live map interface, creating significant privacy and physical security risks.
The malware also supports active “hands-on” operations. Attackers can remotely activate front and rear cameras, enable the microphone for live audio capture, and record the device screen. These capabilities allow direct observation of sensitive activities, including authentication workflows and private communications.
Two-factor authentication bypass and keylogging
If SMS permissions are obtained, ZeroDayRAT can intercept incoming one-time passwords (OTPs), effectively bypassing SMS-based two-factor authentication. The malware can also send SMS messages directly from the victim’s device, enabling fraud or social engineering campaigns that appear legitimate.
A built-in keylogging module captures user input such as passwords, gestures, and screen unlock patterns. This allows attackers to maintain persistent access even if credentials are changed elsewhere.
Financial theft modules and cryptocurrency targeting
ZeroDayRAT includes specialized components for financial exploitation. A cryptocurrency stealer module scans the device for wallet applications such as MetaMask, Trust Wallet, Binance, and Coinbase. The malware collects wallet identifiers and balances and attempts clipboard hijacking by replacing copied wallet addresses with attacker-controlled ones.
In parallel, the banking stealer targets mobile banking and payment applications, including Google Pay, PhonePe, Apple Pay, and PayPal. Credential theft is achieved through malicious overlay screens that convincingly mimic legitimate login interfaces.
Enterprise risk and defensive considerations
While iVerify has not disclosed the exact delivery mechanisms, researchers describe ZeroDayRAT as a “complete mobile compromise toolkit.” From a corporate security perspective, a single infected employee device could serve as an entry point for broader enterprise breaches, exposing internal communications, credentials, and sensitive business data.
For individual users, compromise can result in severe privacy violations, financial loss, and identity theft. Security best practices remain critical: users should install applications only from official app stores, verify publisher legitimacy, and scrutinize permission requests — especially for Accessibility, SMS, and screen recording access. High-risk individuals and executives should consider advanced protections such as iOS Lockdown Mode and Android’s Advanced Protection features to reduce their exposure to sophisticated mobile spyware threats.