Security experts have identified a sophisticated mobile spyware known as ZeroDayRAT that targets both Android and iOS users through a professionalized sales model on Telegram. This malicious platform enables attackers to conduct deep surveillance, monitor real-time activities, and execute direct financial theft by compromising payment applications and digital wallets.

Cybersecurity investigators have uncovered a comprehensive spyware ecosystem called ZeroDayRAT that is being actively marketed through Telegram channels. The developers of this platform provide a full suite of services, including customer support and a dedicated builder for creating malicious software. Unlike basic data harvesters, this platform is designed for deep intrusion, offering a self-hosted control panel that allows purchasers to manage their surveillance operations independently. The software is compatible with a wide range of mobile operating systems, covering Android versions 5 through 16 and iOS versions up to 26.

The infection process typically begins with social engineering tactics or the use of fraudulent application marketplaces to trick users into installing the malware. Once a device is compromised, the operator gains immediate access to a wealth of telemetry, including the device model, battery status, and carrier information. Beyond basic hardware details, the spyware tracks app usage and provides previews of recent messages and notifications. This level of access allows attackers to build a detailed profile of the victim's digital life and social circles.

Location tracking is a core feature of the platform, as it extracts precise GPS coordinates and maps them in real-time. The software maintains a complete history of the victim's movements, essentially turning the mobile device into a permanent tracking beacon. The intrusion extends to the victim's digital identity through an accounts module that identifies every registered profile on the device. This includes sensitive credentials and usernames for global platforms like Google, Facebook, and Amazon, as well as region-specific services like Flipkart and various banking tools.

ZeroDayRAT features aggressive surveillance capabilities such as keystroke logging and the interception of one-time passwords, which allows attackers to bypass two-factor authentication. The platform also supports live interactions, giving the adversary the ability to remotely activate the device camera and microphone for real-time monitoring of the victim's environment. These features transition the malware from a passive data collector into an active tool for physical and digital stalking.

The final layer of the malware focuses on financial exploitation through specialized stealer modules. It specifically targets cryptocurrency wallets and payment applications like Apple Pay and PayPal by monitoring the system clipboard to redirect funds. The software is also equipped to compromise the Unified Payments Interface used in India, allowing for the direct theft of money through popular digital payment apps. By combining administrative control with financial interception, ZeroDayRAT represents a significant threat to mobile security and user privacy.

Source: New ZeroDayRAT Mobile Spyware Enables Real-Time Surveillance and Data Theft