When you purchase through links on our site, we may earn an affiliate commission. This doesn’t affect our editorial independence.
A newly discovered spyware platform, ZeroDayRAT, is openly sold on Telegram, offering buyers complete remote access to both Android and iOS devices without requiring any technical expertise. The malware, identified by mobile security firm iVerify, provides a control panel that enables operators to surveil victims in real time and steal financial information across a wide range of operating systems, including Android 5 through 16 and iOS up to version 26, covering recent devices such as the iPhone 17 Pro.
ZeroDayRAT primarily spreads through smishing—SMS-based phishing—alongside phishing emails, fake app stores, and malicious links shared via messaging platforms like WhatsApp and Telegram. Once installed on a device, the spyware grants attackers access to detailed device information, including the model, OS version, carrier details, SIM card data, app usage logs, and a complete timeline of user activity, all visible from a single centralised interface.
Features of ZeroDayRAT Malware
A critical feature of ZeroDayRAT is its ability to intercept SMS messages, rendering SMS-based two-factor authentication ineffective. When a user receives a one-time code from their bank or another service, the attacker can see it immediately, bypassing this common security measure and compromising accounts with ease.
The spyware includes a live surveillance module that can remotely stream video from the device’s front or rear camera, record the screen in real time, and activate the microphone to capture audio. This level of access means an attacker can effectively observe the victim’s physical environment and on-screen activity simultaneously.
ZeroDayRAT also deploys a sophisticated keylogger that records every keystroke made by the user, complete with timestamps and the specific application in use. This enables attackers to precisely harvest passwords, private messages, and other sensitive data, giving them a comprehensive view of the victim’s digital behaviour.
ZeroDayRAT: Tailored for Financial Crimes
The malware is specifically engineered for financial theft, with two dedicated modules designed to drain funds. The first module targets cryptocurrency wallets, including MetaMask, Trust Wallet, Binance, and Coinbase. It logs wallet addresses and balances, and can automatically replace copied wallet addresses with those controlled by the attacker, diverting funds during transactions.
The second financial module focuses on traditional banking apps and payment platforms such as PhonePe, Google Pay, Apple Pay, and PayPal. Using overlay attacks, ZeroDayRAT displays fraudulent login screens over legitimate apps to capture credentials directly from users, effectively compromising both bank accounts and cryptocurrency holdings through the same administrative panel.
The sale of ZeroDayRAT on Telegram represents a significant lowering of barriers to sophisticated cybercrime, as buyers need no programming knowledge to operate the spyware. The platform is marketed as a complete, ready-to-use solution for remote surveillance and theft, making advanced attacks accessible to a wider pool of malicious actors.
To defend against ZeroDayRAT and similar threats, security experts advise users to never click links from unknown senders, avoid downloading apps from third-party sources outside the official Google Play Store or Apple App Store, and keep device software consistently updated. These basic precautions remain effective in preventing initial infection despite the malware’s advanced capabilities.
Also Read: New Android Malware, Albiriox, Empties People’s Bank Accounts – Cybersecurity Experts Warn
