ZeroDayRAT Emerges as a Powerful New Spyware Threat Capable of Fully Compromising Android and iOS Devices

CyberDefender 7 mins0

A newly discovered mobile spyware platform called ZeroDayRAT is rapidly emerging as one of the most dangerous threats to both Android and iOS devices ever seen. First spotted in early February 2026, this surveillance toolkit is now openly distributed and sold on Telegram with active support, updates, and a ready-made operator panel that requires no specialized technical expertise to use.

Unlike typical spyware tools that collect limited information, ZeroDayRAT offers operators full remote control of a target’s smartphone — turning it into a completely compromised device.

Cross-Platform Support and Infection Vectors

ZeroDayRAT runs on a wide range of devices:

  • Android versions 5 through 16
  • iOS up to version 26, including the latest devices such as the iPhone 17 Pro

The spyware must be delivered via a malicious binary:

  • an APK file on Android
  • a custom payload on iOS.
    The most frequent delivery method is smishing — SMS or messaging campaigns that trick users into downloading what appears to be legitimate software. Attackers also use phishing emails, links shared over WhatsApp or Telegram, and spoofed application stores.

Dashboard & Device Profiling

Once installed, ZeroDayRAT communicates with a remote operator dashboard that provides a comprehensive overview of the compromised device. Operators can see, in real-time:

  • Device model and operating system
  • Battery status and carrier information
  • Dual SIM numbers and network details
  • Recent app usage and activity timelines
  • Intercepted SMS messages, including banking and personal conversations

This level of profiling gives attackers deep insight into a victim’s behavior and digital life without launching additional tools.

Location Tracking & Notifications

ZeroDayRAT captures and logs GPS coordinates, building a live and historical location map of the target. It also captures notifications from virtually every app — including social media alerts, missed calls, and system messages — allowing attackers to monitor activity without opening any app on the device itself.

Account Enumeration and SMS Control

Infected devices reveal an extensive list of every account registered on the device — from Google and WhatsApp to banking and payment platforms (like PhonePe, Google Pay, Apple Pay, and PayPal). This makes it trivial for attackers to identify high-value accounts for takeover or further attack.

ZeroDayRAT also provides full SMS inbox access, allowing attackers to read messages, send on behalf of the victim, and intercept one-time passwords (OTPs). This effectively neutralizes SMS-based two-factor authentication protections.

Live Surveillance and Input Capture

Beyond passive data collection, ZeroDayRAT gives operators live sensory control:

  • Front or back camera streaming
  • Screen viewing and recording
  • Microphone audio capture
  • Keylogging with millisecond precision

This means an attacker can watch, listen to, track, and observe exactly what the user is typing or doing on the device — all in real time.

Banking & Cryptocurrency Theft Modules

ZeroDayRAT includes dedicated modules designed for financial exploitation:

Cryptocurrency Theft

  • Scans for wallet apps like MetaMask, Trust Wallet, Binance, and Coinbase
  • Logs wallet IDs and balances
  • Performs clipboard address injection to replace copied wallet addresses with attacker addresses during transactions

Banking Attack Tools

  • Targets online banking applications and payment services
  • Uses overlay attacks to intercept credentials and transaction data
  • Works against traditional financial accounts and mobile payment platforms alike

These features make the platform not just a spying tool, but an effective financial exploitation suite.

Why ZeroDayRAT Matters

ZeroDayRAT represents a significant evolution in mobile spyware:

  • It delivers capabilities that previously required nation-state–level resources.
  • It is openly marketed on public channels rather than restricted underground forums.
  • It combines surveillance, infiltration, credential theft, and financial exploitation in a single package.

This makes it a threat not just to individual users, but to enterprises, governments, and critical infrastructure.

Defending Against ZeroDayRAT

Traditional security measures — like basic mobile device management (MDM) — are ineffective against a fully featured spyware like ZeroDayRAT. Organizations and users must:

  • Employ enterprise-grade mobile endpoint detection and response (EDR)
  • Monitor for indicators of compromise
  • Educate users about smishing and phishing risks
  • Harden device configuration and authentication methods

Because ZeroDayRAT can bypass common protections (including SMS-based 2FA), a layered approach to mobile security is essential.

Conclusion

ZeroDayRAT is one of the most potent mobile spyware threats uncovered in 2026. With its blend of reconnaissance, real-time control, and financial exploitation features — all packaged for easy use — it marks a dangerous new phase in mobile cyber threats. For both personal and corporate devices, the stakes have never been higher.

CyberDefender