ZeroDayRAT: The New Android & iOS Spyware That’s Redefining Mobile Surveillance

A Telegram-Sold Toolkit That Turns Any Phone Into a Surveillance Device

Cybersecurity researchers have uncovered ZeroDayRAT, a sophisticated mobile spyware platform that’s being openly advertised and sold through Telegram channels. This isn’t just another malware strain—it represents a disturbing evolution in how surveillance capabilities are being packaged and distributed to anyone with cryptocurrency and malicious intent.

Daniel Kelley, security researcher at iVerify, revealed that ZeroDayRAT goes “beyond typical data collection into real-time surveillance and direct financial theft.” The platform operates through dedicated Telegram channels for sales, customer support, and regular updates, creating what amounts to a professional spyware-as-a-service operation.

Cross-Platform Compatibility and Distribution

ZeroDayRAT supports Android versions 5 through 16 and iOS versions up to 26, making it one of the most broadly compatible mobile surveillance tools discovered to date. The malware spreads primarily through social engineering tactics and fake app marketplaces, with operators receiving a complete builder package and online panel they can host on their own servers.

Once installed on a victim’s device, the operator gains access to an alarming array of surveillance capabilities through a self-hosted control panel. This includes real-time access to device details, location tracking with Google Maps integration, complete app usage monitoring, and even live camera and microphone feeds.

Financial Theft Capabilities That Rival Professional Crime Rings

What makes ZeroDayRAT particularly dangerous is its sophisticated financial theft modules. The malware includes a stealer component that scans for popular cryptocurrency wallets including MetaMask, Trust Wallet, Binance, and Coinbase. It then actively monitors the clipboard, substituting legitimate wallet addresses with attacker-controlled ones to reroute cryptocurrency transactions.

The platform also targets traditional banking through a dedicated bank stealer module that attacks mobile wallet platforms including Apple Pay, Google Pay, PayPal, and PhonePe—an Indian digital payments application that uses UPI (Unified Payments Interface) for instant money transfers.

The Complete Toolkit: From Keystrokes to Real-Time Surveillance

ZeroDayRAT’s capabilities read like a surveillance state’s wish list:

• Complete device profiling: Model, location, OS version, battery status, SIM and carrier details
• App intelligence: Full enumeration of installed applications and their usage patterns
• Communication interception: SMS message capture including one-time passwords (OTPs) to defeat two-factor authentication
• Keystroke logging: Every tap and swipe recorded
• Real-time surveillance: Live camera streaming and microphone activation for remote monitoring
• Account harvesting: Complete enumeration of all registered accounts including Google, WhatsApp, Instagram, Facebook, Telegram, Amazon, Flipkart, PhonePe, Paytm, and Spotify

The Democratization of Surveillance Technology

Perhaps most concerning is how ZeroDayRAT represents the “democratization” of surveillance technology. As Kelley notes, “A single buyer gets full access to a target’s location, messages, finances, camera, microphone, and keystrokes from a browser tab.” This level of capability was once the exclusive domain of nation-state actors and required significant investment in custom exploit development.

The platform’s cross-platform support and active development cycle make it an increasingly dangerous threat to both individuals and organizations. The barrier to entry for sophisticated mobile surveillance has never been lower.

A Broader Epidemic: The Mobile Malware Landscape

ZeroDayRAT is just one player in a rapidly expanding mobile malware ecosystem. Recent discoveries reveal an alarming trend of increasingly sophisticated attacks targeting both Android and iOS users:

Hugging Face RAT Campaign

An Android remote access trojan campaign has been using Hugging Face to host malicious APK files. The infection chain begins with seemingly harmless dropper apps that prompt users to install updates, ultimately downloading malware that requests accessibility permissions for surveillance and credential theft.

Arsink RAT: The Google Apps Script Connection

Arsink RAT uses Google Apps Script for media and file exfiltration to Google Drive, while leveraging Firebase and Telegram for command-and-control. Distributed via Telegram, Discord, and MediaFire links, Arsink infections have been concentrated in Egypt, Indonesia, Iraq, Yemen, and Türkiye.

The All Document Reader Deception

A document reader app uploaded to Google Play attracted over 50,000 downloads before being flagged as an installer for the Anatsa banking trojan (also known as TeaBot and Toddler).

deVixor: The Iranian Banking Trojan with Ransomware

This evolving Android banking RAT has been actively targeting Iranian users through phishing websites impersonating legitimate automotive businesses since October 2025. Beyond data harvesting, deVixor includes a remotely triggered ransomware module capable of locking devices and demanding cryptocurrency payments.

ShadowRemit: Exploiting Cross-Border Money Transfer

This campaign has exploited fake Android apps and pages mimicking Google Play listings to enable unlicensed cross-border money transfers. These bogus pages promote unauthorized APKs as trusted remittance services with zero fees and improved exchange rates.

Government Impersonation in India

An Android malware campaign targeting Indian users has abused the trust associated with government services and official digital platforms, distributing malicious APKs through WhatsApp to deploy malware capable of data theft, persistent control, and cryptocurrency mining.

Triada’s Chrome Update Phishing

The operators of the Triada Android trojan have been observed using phishing landing pages disguised as Chrome browser updates to trick users into downloading malicious APKs hosted on GitHub, actively taking over long-standing, fully verified advertiser accounts.

WhatsApp Screen Sharing Scams

A WhatsApp-oriented scam campaign has leveraged video calls where threat actors pose as bank representatives or Meta support, instructing victims to share their phone’s screen and install legitimate remote access apps like AnyDesk or TeamViewer to steal sensitive data.

GhostChat: The Pakistani Romance Scam Spyware

This malicious dating chat app has been distributed through romance scam tactics targeting individuals in Pakistan. The threat actors are also suspected of running a ClickFix attack and a WhatsApp device-linking attack called GhostPairing.

Phantom: The TensorFlow.js Click Fraud Trojan

This new family of Android click fraud trojans leverages TensorFlow.js to automatically detect and interact with specific advertisement elements on sites loaded in hidden WebViews. An alternative “signaling” mode uses WebRTC to stream live video feeds to attackers’ servers.

NFCShare: The Deutsche Bank Phishing Campaign

Distributed via a Deutsche Bank phishing campaign, NFCShare deceives users into installing a malicious APK under the pretext of an update, reading NFC card data and exfiltrating it to remote WebSocket endpoints.

The NFC Relay Revolution: Ghost Tap Scams

Group-IB’s recent report reveals a surge in NFC-enabled Android tap-to-pay malware, primarily advertised within Chinese cybercrime communities on Telegram. This technique, referred to as “Ghost Tap,” has already resulted in at least $355,000 in illegitimate transactions from one POS vendor alone between November 2024 and August 2025.

The end goal of these attacks is to trick victims into installing NFC-enabled malware and tapping their physical payment cards on their smartphones, capturing transaction data and relaying it to cybercriminals’ devices. This is achieved through dedicated apps installed on money mules’ devices to complete payments or cash out as though the victims’ cards were physically present.

The Commercialization of Cybercrime

Group-IB identified three major vendors of Android NFC relay apps: TX-NFC (with over 25,000 Telegram subscribers since January 2025), X-NFC (5,000+ subscribers), and NFU Pay (600+ subscribers). This commercialization of cybercrime tools represents a fundamental shift in the threat landscape, where sophisticated attack capabilities are being packaged, marketed, and sold like legitimate software products.

The steady increase in malware artifact detection between May 2024 and December 2025, combined with the appearance of new families while old ones remain active, indicates the rapid spread of this technology among fraudsters.

The Implications for Personal and Corporate Security

The emergence of ZeroDayRAT and the broader mobile malware ecosystem represents a critical inflection point in cybersecurity. Mobile devices have become the primary computing platform for billions of users worldwide, storing everything from personal communications to financial credentials and access to corporate networks.

The sophistication, availability, and commercial nature of these tools mean that effective mobile security can no longer be an afterthought. Organizations must implement comprehensive mobile device management, regular security awareness training, and robust detection capabilities to protect against these evolving threats.

As surveillance capabilities that once required nation-state resources become available to anyone with a Telegram account and cryptocurrency wallet, the fundamental nature of privacy and security in the digital age is being fundamentally challenged.

Tags: ZeroDayRAT, mobile spyware, Android malware, iOS surveillance, Telegram cybercrime, financial theft, cryptocurrency theft, NFC relay attacks, Ghost Tap, mobile security, banking trojan, remote access trojan, RAT, surveillance technology, cybersecurity threats, mobile device management, privacy invasion, digital payments fraud, cryptocurrency wallet theft, two-factor authentication bypass

Viral Phrases: “The democratization of surveillance technology,” “Your phone is the new surveillance state,” “From nation-state tools to Telegram storefronts,” “Ghost Tap: The invisible payment scam,” “Your clipboard is being watched,” “The end of mobile privacy,” “Surveillance as a service,” “Your camera and microphone are for hire,” “The $355,000 invisible heist,” “Romance scams meet state-level surveillance,” “Google Apps Script as a malware delivery mechanism,” “The NFC revolution in cybercrime,” “Your phone is the new crime scene”

,