ZeroDayRAT: Telegram-Sold Spyware Enables Full Android and iOS Surveillance and Financial Theft
scsecFebruary 18, 20263 Mins read 
ZeroDayRAT Emerges as Powerful Cross-Platform Mobile Spyware Sold on Telegram
Cybersecurity researchers have uncovered a new commercial mobile spyware platform known as ZeroDayRAT, which is being openly promoted on Telegram as a comprehensive surveillance and financial theft toolkit targeting both Android and iOS devices.
According to Daniel Kelley, a security researcher at iVerify, the developers operate dedicated Telegram channels for sales, updates, and customer support. Buyers receive access to a malware builder and a fully functional spyware management panel, enabling even less-skilled actors to deploy sophisticated surveillance campaigns.
Broad Device Support and Distribution Tactics
ZeroDayRAT supports Android versions 5 through 16 and iOS versions up to 26. The malware is believed to spread through social engineering techniques, fake app marketplaces, and malicious APK files.
Customers are provided with:
- A malware builder to generate malicious binaries
- A self-hosted web-based control panel
- Ongoing updates and operational support
Once deployed, the spyware gives operators detailed insight into infected devices, including:
- Device model and operating system
- GPS location and movement history (mapped via Google Maps)
- Battery status and SIM details
- Carrier information
- Installed apps and usage patterns
- Notifications and recent SMS previews
This level of visibility allows attackers to profile victims, monitor communications, and identify frequently used applications.
Deep Account Enumeration and Surveillance Capabilities
One of the platform’s most concerning features is its account enumeration module. The control panel lists all accounts registered on the device, including services such as:
- Telegram
- Amazon
- Flipkart
- PhonePe
- Paytm
- Spotify
Usernames and associated email addresses are exposed, enabling identity profiling and further exploitation.
Additional spyware capabilities include:
- Keystroke logging
- Full SMS extraction, including one-time passwords (OTPs)
- Bypassing two-factor authentication
- Live camera streaming
- Microphone access for real-time audio surveillance
- Remote device control
Financial Theft Modules
ZeroDayRAT includes dedicated modules designed for financial fraud.
Crypto Wallet Theft:
The malware scans for wallet applications such as:
- MetaMask
- Trust Wallet
- Binance
- Coinbase
It can intercept clipboard data and replace copied wallet addresses with attacker-controlled addresses, rerouting cryptocurrency transactions.
Banking and Mobile Wallet Targeting:
A bank stealer component targets:
- Apple Pay
- Google Pay
- PayPal
- PhonePe (a popular Indian digital payment app using UPI)
By harvesting credentials and transaction data, attackers can initiate unauthorized transfers and payment fraud.
Lowering the Barrier for Cybercrime
Researchers describe ZeroDayRAT as a “complete mobile compromise toolkit” — a capability once associated primarily with nation-state actors. With cross-platform support and active development, it represents an escalation in the commercialization of mobile surveillance tools.
The availability of such platforms on Telegram significantly lowers the barrier to entry for cybercriminals, allowing buyers to control victims’:
- Location
- Messages
- Financial accounts
- Camera and microphone
- Keystrokes
All from a simple browser-based panel.
Growing Wave of Mobile Malware Campaigns
The discovery of ZeroDayRAT coincides with multiple mobile malware campaigns observed globally:
- An Android RAT campaign used Hugging Face to host malicious APKs delivered via dropper apps.
- Arsink, another Android RAT, utilized Google Apps Script for data exfiltration and Telegram/Firebase for command-and-control operations.
- A malicious app named “All Document Reader” on Google Play acted as an installer for the Anatsa banking trojan.
- The deVixor banking trojan targeted Iranian users through phishing websites and included a ransomware component.
- ShadowRemit leveraged fake remittance apps and websites to conduct unauthorized cross-border transfers.
- Government-themed WhatsApp campaigns in India distributed malware disguised as official services.
- Triada operators hijacked verified advertiser accounts to distribute malicious Chrome update APKs.
- WhatsApp-based scams used video calls and legitimate remote access apps like AnyDesk and TeamViewer to steal data.
- A Pakistan-focused romance scam distributed a malicious chat app called GhostChat.
- Phantom click-fraud malware used TensorFlow.js to automate ad fraud in hidden WebViews.
- NFCShare malware targeted Deutsche Bank customers and exfiltrated NFC card data.
Surge in NFC Relay (“Ghost Tap”) Attacks
Group-IB has reported a rise in NFC-enabled tap-to-pay malware, frequently advertised in Chinese cybercrime Telegram communities.
The NFC relay technique, also known as “Ghost Tap,” tricks victims into installing malware and tapping their physical payment cards against their smartphones. The transaction data is then relayed in real time to attackers or money mules who complete fraudulent purchases.
Researchers identified major vendors such as:
- TX-NFC
- X-NFC
- NFU Pay
Thousands of subscribers reportedly follow these services on Telegram. From late 2024 through 2025, hundreds of thousands of dollars in fraudulent transactions have been recorded, with mobile wallets preloaded with compromised cards used globally for cash-out operations.
Escalating Mobile Threat Landscape
The consistent evolution of mobile spyware, banking trojans, NFC relay attacks, and surveillance tools highlights a broader trend: advanced cybercrime capabilities are becoming commercialized, scalable, and widely accessible.
As mobile devices increasingly serve as hubs for communication, identity, and financial activity, they are becoming prime targets for sophisticated, cross-platform malware ecosystems.
1 Comment
Leave a Reply
Related Articles
Fake Crypto Job Recruiters Trick Developers Into Installing Malware via Coding Challenges
Fake Job Recruiters Use Coding Challenges to Deploy Malware on Developers’ Systems...
287 Chrome Extensions Leak Browsing Data of 37.4 Million Users to Major Corporations
287 Chrome Extensions Leak Private Browsing Data of 37.4 Million Users A...
DNS-Powered ClickFix Attack Delivers PowerShell Malware and ModeloRAT to Windows Systems
New ClickFix Attack Uses DNS to Deliver PowerShell Payloads Researchers at Microsoft...
Hijacked Google Ads and Fake Claude AI Pages Used to Deliver MacSync Malware to macOS Users
ClickFix Campaign Uses Hijacked Google Ads and Fake Claude AI Guides to...
“Important warning! Mac users should avoid pasting commands from sponsored search results or AI guides into Terminal. Always download software from official sources to stay safe from MacSync and similar malware.”