ZeroDayRAT Emerges as Advanced Cross-Platform Mobile Spyware, Blending Real-Time Surveillance with Direct Financial Theft

CyberDefender 7 mins0

ZeroDayRAT is a commercial mobile Remote Access Trojan (RAT) offered in a Malware-as-a-Service (MaaS) model that combines advanced espionage, real-time surveillance, and direct financial theft capabilities against both Android and iOS devices. It’s actively marketed on underground channels such as Telegram, lowering the technical entry barrier for threat actors and enabling even non-expert operators to run sophisticated attacks.

Distribution & Infection Vectors

ZeroDayRAT’s operators rely on multiple deceptive delivery channels to install malicious payloads on victims’ devices:

  • Smishing (SMS phishing): Fraudulent SMS messages with misleading links impersonate legitimate services or app updates to persuade victims to click and install malware.
  • Malicious links on messaging apps: WhatsApp, Telegram, and other platforms are used to distribute shortened or cloaked URLs that lead to malicious APKs on Android or payload installers for iOS.
  • Fake app stores / third-party marketplaces: Rogue software repositories host counterfeit applications with embedded RAT implants.

Once a victim installs the payload, ZeroDayRAT establishes persistent access and reports back to a web-based control panel.

Supported Platforms

ZeroDayRAT claims compatibility with a broad range of mobile operating system versions, significantly increasing its potential target surface:

  • Android: Versions from early legacy builds up to Android 16
  • iOS: Supports versions up to iOS 26.2, indicating ongoing updates to maintain compatibility with current firmware.

Attack Control Panel & Data Exfiltration

Once installed, the spyware establishes a persistent, full-feature communication channel with the attacker’s control infrastructure. The attacker operates through a browser-based control panel that aggregates and visualizes all harvested data.

Digital Profiling

The primary dashboard provides an immediate digital snapshot of the victim device, including:

  • Device model and OS version
  • Battery status and carrier information
  • List of installed applications and usage timeline
  • Recent calls and SMS history

This profiling allows an attacker to tailor follow-on exploitation and identify high-value targets within victim devices.

Real-Time Surveillance & Control

ZeroDayRAT enables active monitoring of physical and digital activity:

  • GPS Tracking: Real-time location tracking plus historical movement can be viewed on interactive map interfaces.
  • Camera & Microphone Activation: Both front and rear cameras, as well as microphones, can be triggered silently for live capture of surroundings.
  • Screen Recording: Real-time visual capture of the victim’s display.
  • Keylogging & Input Capture: Millisecond-precision keystroke logging, including typed passwords, clipboard data, app transitions, and biometric unlock events.

These capabilities effectively turn an infected smartphone into a remote sensor device for ongoing surveillance and data exfiltration.

Financial Theft & Fraud Modules

ZeroDayRAT goes beyond surveillance with specialized modules designed to steal money or compromise financial accounts:

Crypto Wallet Theft

  • Clipboard Injection: The malware monitors for copied cryptocurrency wallet addresses (e.g., MetaMask, Binance, Trust Wallet, Coinbase) and replaces them with attacker-controlled addresses at the point of paste, redirecting transactions.

Banking & Payment System Compromise

  • Overlay Attacks: Fake overlay login screens mimic Apple Pay, Google Pay, PayPal, or local banking app interfaces to harvest credentials.
  • OTP Interception: Real-time capture of one-time passwords (2FA) from SMS messages enables bypassing authentication protections.

These modules are designed to extract direct monetary value from victims with minimal interaction required by the attacker beyond initial infection setup.

Evasion, Accessibility & Marketization

ZeroDayRAT’s distribution and usability choices indicate a clear emphasis on lowering barriers for attackers:

  • User-friendly control panel: Operable via a standard web browser, requiring no advanced malware development knowledge.
  • Commercial prices: Subscription tiers sold on Telegram, with options ranging from short-term access to monthly subscriptions backed by escrow services to build criminal market credibility.
  • Ongoing updates: Evidence of active development and compatibility updates increases the threat’s longevity.

This combination of features situates ZeroDayRAT as one of the first widely distributed mobile RAT toolkits capable of bridging classical espionage with real-time financial exploitation in a single service.

Security Implications & Defensive Considerations

ZeroDayRAT’s emergence marks a significant escalation in mobile threat capabilities:

  • Modern smartphones are deeply integrated into personal and corporate digital identities, making them high-value targets.
  • The malware’s ability to siphon 2FA codes, financial credentials, and behavioral data undermines traditional security assumptions that separate device compromise from financial theft.
  • Defense requires proactive mobile security hygiene: avoiding untrusted links, strict app installation controls, and advanced mobile EDR and MDM solutions capable of detecting behavioral anomalies.

CyberDefender