Hackers Offer ZeroDayRAT to Seize Full Control of Android and iPhone Devices
A newly marketed spyware kit promises live surveillance, OTP interception, and direct financial theft.
A Commercial Spyware Platform Emerges
Researchers at iVerify have uncovered a new mobile malware operation called ZeroDayRAT. Sellers are promoting the toolkit on Telegram to cybercriminal buyers who want remote control over victims’ smartphones.
The platform claims support for Android versions 5 through 16 and iOS devices up to the latest releases. Unlike simple stealers, this system combines surveillance, persistence, and fraud capabilities into a single operator console.
What Attackers See After Infection
The management panel gives criminals a real-time overview of compromised devices. Operators can view the phone model, operating system, SIM data, battery state, country, and whether the device is locked.
They can also review:
- Application usage
- Activity timelines
- SMS conversations
- Registered accounts
This intelligence helps attackers plan impersonation, password attacks, or lateral movement into corporate services.
Real-Time Tracking and Live Monitoring
If the malware obtains GPS permissions, operators can track victims continuously. The interface plots movement on a live map and retains historical location data.
ZeroDayRAT also supports direct surveillance. Attackers can activate cameras, enable microphones, and record screens. As a result, they can watch sensitive activity as it happens.
Built to Break Modern Authentication
When SMS permissions exist, the malware intercepts one-time passwords. This capability allows criminals to bypass multi-factor authentication. The same access lets them send messages from the victim’s device, increasing the credibility of fraud campaigns.
A keylogging component captures typed credentials, gestures, and even unlock patterns.
Financial Theft Modules Included
The toolkit goes further by integrating dedicated banking and cryptocurrency theft features.
Researchers observed wallet discovery and manipulation targeting major services such as:
- MetaMask
- Trust Wallet
- Binance
- Coinbase
The malware records wallet identifiers, checks balances, and attempts clipboard hijacking by replacing copied addresses with attacker-controlled ones.
For banking, the stealer overlays fake login screens on legitimate apps. Victims unknowingly submit credentials directly to criminals.
Enterprise Risk Cannot Be Ignored
iVerify describes ZeroDayRAT as a complete mobile compromise toolkit. If attackers infect an employee device, they may gain access to corporate email, VPN tokens, cloud apps, and collaboration platforms.
Because many organizations trust mobile authentication, compromise at this layer can undermine otherwise strong defenses.
Protection Steps for Users
Users should install applications only from official stores and select reputable publishers. High-risk individuals should activate advanced protections, such as platform lockdown features, to reduce exploit surfaces.
Meanwhile, organizations should treat mobile endpoints as critical assets. Continuous monitoring, device posture validation, and anomaly detection can significantly limit exposure.
The Bigger Picture
Mobile devices now hold identity, communication, and financial authority. Attackers understand this convergence and are investing accordingly.
ZeroDayRAT demonstrates how commercialized spyware continues to blur the line between espionage and cybercrime.