ZeroDayRAT ZeroDayRAT

New ZeroDayRAT Spyware Gives Criminals Near-Total Control of iPhones and Android Phones

Cybersecurity researchers have uncovered a commercial spyware platform that is openly marketed through Telegram and designed to give attackers extensive control over Android phones and iPhones.

Known as ZeroDayRAT, the toolkit packages surveillance, credential theft and financial-fraud capabilities inside a browser-based control panel. Researchers warn that its user-friendly setup could place powerful mobile spying tools in the hands of criminals with limited technical experience.

What Is ZeroDayRAT?

ZeroDayRAT is a mobile remote-access and surveillance platform identified by researchers at mobile security company iVerify. Activity connected to the service was first observed on February 2, 2026, with separate Telegram channels reportedly being used for sales, technical support and product updates.

The seller provides customers with tools for creating malicious mobile files and a control panel from which compromised devices can be monitored. This commercial structure resembles malware-as-a-service, where the developer handles much of the technical complexity while customers focus on choosing and deceiving victims.

Researchers say the platform claims to support Android versions 5 through 16 and iOS versions up to iOS 26. Those compatibility claims come from the spyware’s developer and should not be interpreted as proof that every current phone can be compromised automatically.

The full technical report is available through iVerify’s ZeroDayRAT analysis.

The Spyware Does Not Infect Phones Automatically

Despite its name, ZeroDayRAT is not described by researchers as a universal zero-click attack capable of silently breaking into any nearby smartphone.

An attacker generally needs to convince the target to download and install a malicious Android APK or an iOS payload. The most common delivery method is expected to be smishing, where a fraudulent text message directs the victim to a fake application, security update or login page.

The spyware may also be distributed through phishing emails, counterfeit app stores and malicious links shared through WhatsApp or Telegram. The attack therefore relies heavily on social engineering and on the victim accepting an untrusted download, profile or permission request.

This distinction is important. Simply using Telegram, receiving a suspicious message or owning an iPhone or Android phone does not mean a device has been infected.

What Attackers Can See After Infection

Once the malicious software is installed and given the necessary permissions, the control panel can reportedly display detailed information about the victim’s phone.

This information may include the device model, operating-system version, battery level, SIM details, mobile carrier, installed accounts, recent activity and previews of incoming text messages. The spyware can also capture notifications from communication, shopping and financial applications.

By viewing notifications and SMS messages, an attacker may be able to intercept one-time passcodes sent for account verification. This could weaken SMS-based two-factor authentication when the criminal already possesses the victim’s username and password.

The platform also advertises access to complete SMS inboxes, account lists and application-usage histories. Together, these details could help an attacker build a detailed profile of the victim’s contacts, habits, financial services and online accounts.

Camera, Microphone and Location Surveillance

ZeroDayRAT reportedly goes beyond basic data theft by offering real-time surveillance tools.

An operator may be able to track a phone’s GPS location, view its location history, activate the front or rear camera, access the microphone, record the screen and capture typed information through keylogging.

These capabilities could expose private conversations, passwords, messages and physical movements. Camera and microphone access could also allow an attacker to monitor activity happening around the phone rather than only information stored on it.

The spyware’s dashboard is designed to make these functions accessible from one interface. That ease of use is one of the main reasons researchers consider the kit concerning.

Financial Theft Is a Major Part of the Threat

The platform is not marketed only as a surveillance product. Researchers say it includes functions designed to steal money and financial credentials.

ZeroDayRAT reportedly supports fraudulent login overlays that imitate banking or payment applications. When the victim enters information into the fake screen, the credentials may be transmitted to the attacker.

The toolkit also advertises cryptocurrency theft through clipboard manipulation. When a user copies a crypto-wallet address, the malware may replace it with an address controlled by the criminal before the transaction is completed.

Notification monitoring, keylogging and SMS interception could give attackers several different ways to collect login details, verification codes and payment information from the same infected device.

Why Selling It on Telegram Matters

Advanced mobile spyware has traditionally been associated with government agencies, specialist surveillance companies and highly skilled hacking groups.

ZeroDayRAT represents a broader trend in which malware developers package sophisticated capabilities into commercial services. Dedicated sales and support channels reduce the knowledge needed to operate the software and allow more criminals to attempt mobile surveillance attacks.

The toolkit’s presence on Telegram does not mean Telegram itself installs the spyware or that its official applications are compromised. The messaging service is being used as a marketplace and communication channel by the alleged seller.

Victims are still generally infected through malicious downloads, links and permission requests rather than through the legitimate Telegram application.

Are the Developer’s Claims Proven?

Some caution is necessary when evaluating commercial malware advertisements. Criminal sellers frequently exaggerate compatibility, reliability and stealth to attract customers.

iVerify documented the platform’s interface, advertised functions and distribution channels, but public reporting does not establish that every claimed feature works reliably on every supported Android or iOS version. The available research also does not provide a confirmed number of real-world victims.

The name ZeroDayRAT should not be taken as confirmation that the platform contains unknown zero-day vulnerabilities. Based on the published analysis, infection commonly depends on persuading the victim to install a malicious file or payload.

The threat remains serious because social-engineering attacks continue to succeed even without a previously unknown software flaw.

How Android Users Can Reduce the Risk

Android users should install applications only through Google Play or another source they fully trust. Requests to download APK files from text messages, chat conversations or unfamiliar websites should be treated as suspicious.

A legitimate bank, courier, government agency or mobile provider is unlikely to require a customer to install an APK sent through a private message.

Users should review which applications have access to Accessibility Services, device administration, notifications, the camera, microphone, location and SMS messages. An unfamiliar application holding several of these permissions deserves immediate investigation.

Android and individual phone manufacturers also publish security updates regularly. Keeping the operating system and applications current can close vulnerabilities that malware may attempt to exploit.

How iPhone Users Can Protect Themselves

iPhone owners should avoid installing unknown configuration profiles, enterprise applications, device-management certificates or software distributed outside trusted channels.

Apple’s Safety Check feature allows users to review account access, sharing settings and permissions through Settings, Privacy & Security and Safety Check.

People who believe they may be targeted by sophisticated spyware can also consider Apple’s Lockdown Mode. It restricts certain features and attack surfaces, although Apple describes it as an extreme protection intended mainly for people facing highly advanced targeted threats.

Instructions are available through Apple’s official Lockdown Mode guide and its personal safety documentation.

Keeping iOS fully updated remains one of the most important protections. Apple regularly releases patches for vulnerabilities used in real-world attacks.

Warning Signs That Deserve Attention

Mobile spyware is designed to remain hidden, so there may be no obvious warning. However, unexpected battery drain, unexplained data usage, unusual overheating, persistent permission prompts or unfamiliar applications can justify a closer review.

Users should also investigate unexpected account-login alerts, one-time passwords they did not request, financial transactions they do not recognize or sudden changes to security settings.

These symptoms do not prove that ZeroDayRAT is installed. Battery and performance problems frequently have harmless explanations. A combination of suspicious activity, unknown software and compromised accounts is more concerning than any single symptom.

What to Do After a Suspected Infection

Someone who suspects that a phone has been compromised should avoid using that device to change important passwords, because spyware may capture the new credentials.

Passwords for email, banking, cloud storage and social-media accounts should instead be changed from a separate trusted device. Financial institutions should be contacted quickly when unauthorized transactions or payment attempts appear.

The user should preserve any suspicious messages, links and application names before removing software, especially when stalking, fraud or workplace espionage may be involved. A qualified mobile-security professional may be needed to examine the device.

A factory reset can remove many forms of ordinary mobile malware, but it should not be treated as a guaranteed solution for every sophisticated infection. Important accounts, recovery methods and security settings should also be reviewed after the device is cleaned or replaced.

The Bigger Risk Is Easier Access to Powerful Spyware

The most troubling feature of ZeroDayRAT is not necessarily a single new technical capability. It is the way surveillance and financial-theft functions have been combined into a product that appears designed for inexperienced buyers.

A criminal still needs a way to reach the victim and persuade them to install something malicious. However, once that step succeeds, the toolkit could provide access to messages, locations, passwords, cameras, microphones and financial accounts from one dashboard.

Users can reduce their exposure by refusing unexpected downloads, keeping their phones updated, reviewing powerful application permissions and treating urgent messages containing installation links with suspicion.

Leave a Reply

Your email address will not be published. Required fields are marked *