ZeroDayRAT: A Rising Mobile Spyware Threat with Global Reach
Since February 2, 2026, ZeroDayRAT, a sophisticated mobile spyware platform, has been sold openly on Telegram channels, offering cybercriminals an accessible tool for large-scale surveillance and financial theft. Developed and marketed through dedicated groups for sales, support, and updates, the malware targets Android (versions 5–16) and iOS (up to version 26, including iPhone 17 Pro) with minimal technical expertise required.
Operators gain real-time control via a browser-based dashboard, enabling live spying, data theft, and financial attacks against victims worldwide. Infections typically begin through social engineering tactics, including smishing texts, phishing emails, fake app stores, or malicious links shared on WhatsApp and Telegram. Once installed via an APK on Android or a payload on iOS ZeroDayRAT grants full device access without the victim’s knowledge.
Surveillance & Data Exfiltration Capabilities
The spyware’s dashboard provides a comprehensive overview of compromised devices, including:
- Device details: Model, OS version, battery level, country, lock status, SIM/carrier info, and dual-SIM numbers.
- User profiling: App usage timelines, peak activity hours, and network providers.
- Real-time notifications: Intercepted alerts from WhatsApp, Instagram, Telegram, YouTube, and system events.
- Location tracking: GPS data mapped on Google Maps, with historical movement records (e.g., a device in Bengaluru).
- Account harvesting: Usernames/emails from Google, WhatsApp, Instagram, Facebook, Amazon, Flipkart, PhonePe, Paytm, and Spotify enabling account takeovers or follow-up phishing.
- SMS access: Full inbox search, message spoofing, and OTP interception, bypassing SMS-based two-factor authentication (2FA).
Advanced Surveillance & Financial Theft
ZeroDayRAT escalates beyond passive monitoring with active spying tools:
- Live camera/microphone streams (front/back) synced with GPS for real-time tracking.
- Keylogging: Captures keystrokes, biometrics, gestures, and app launches, paired with a live screen preview to steal passwords and sensitive inputs.
- Crypto theft: Targets wallets like MetaMask, Trust Wallet, Binance, and Coinbase, swapping clipboard addresses to hijack transactions.
- Banking attacks: Compromises UPI apps (PhonePe, Google Pay), Apple Pay, and PayPal via credential overlays, blending traditional and cryptocurrency theft.
Global Impact
Evidence from the dashboard shows compromised devices in multiple countries, including India and the U.S., underscoring the spyware’s widespread deployment. With its low barrier to entry and commercial availability, ZeroDayRAT represents a growing threat to individual privacy, financial security, and organizational data integrity.
Source: https://cyberpress.org/zerodayrat-targets-android-ios/
Google TPRM report: https://www.rankiteo.com/company/google
Facebook TPRM report: https://www.rankiteo.com/company/meta
Instagram TPRM report: https://www.rankiteo.com/company/instagram
Amazon TPRM report: https://www.rankiteo.com/company/amazon
Flipkart TPRM report: https://www.rankiteo.com/company/flipkart
Paytm TPRM report: https://www.rankiteo.com/company/paytm
Coinbase TPRM report: https://www.rankiteo.com/company/coinbase
PayPal TPRM report: https://www.rankiteo.com/company/paypal
"id": "amainscoigooflipaypaymet1771309885",
"linkid": "amazon, instagram, coinbase, google, flipkart, paypal, paytm, meta",
"type": "Cyber Attack",
"date": "2/2026",
"severity": "85",
"impact": "4",
"explanation": "Attack with significant impact with customers data leaks"{'affected_entities': [{'location': ['India', 'U.S.', 'Global'],
'type': 'Individuals'}],
'attack_vector': ['smishing',
'phishing',
'fake app stores',
'malicious links'],
'data_breach': {'data_exfiltration': 'Yes (via dashboard)',
'personally_identifiable_information': 'Yes (usernames, '
'emails, phone '
'numbers, GPS data)',
'sensitivity_of_data': 'High (financial, personal, biometric)',
'type_of_data_compromised': ['PII',
'account credentials',
'SMS',
'location data',
'keystrokes',
'camera/microphone streams']},
'date_detected': '2026-02-02',
'description': 'ZeroDayRAT is a sophisticated mobile spyware platform sold '
'openly on Telegram channels since February 2, 2026. It '
'targets Android (versions 5–16) and iOS (up to version 26, '
'including iPhone 17 Pro) devices, enabling real-time '
'surveillance, data theft, and financial attacks. Infections '
'occur via social engineering tactics such as smishing, '
'phishing, fake app stores, or malicious links. The spyware '
'provides full device access, including live camera/microphone '
'streams, keylogging, location tracking, and financial theft '
'capabilities.',
'impact': {'data_compromised': 'Device details, user profiling, account '
'credentials, SMS, location data, '
'camera/microphone streams, keystrokes',
'financial_loss': 'Crypto theft, banking attacks (UPI, Apple Pay, '
'PayPal), OTP interception',
'identity_theft_risk': 'High (PII exposure, account takeovers)',
'operational_impact': 'Account takeovers, unauthorized '
'transactions, privacy violations',
'payment_information_risk': 'High (UPI, banking apps, crypto '
'wallets)',
'systems_affected': ['Android (versions 5–16)',
'iOS (up to version 26)']},
'initial_access_broker': {'backdoors_established': 'APK (Android), payload '
'(iOS)',
'entry_point': ['smishing',
'phishing',
'fake app stores',
'malicious links'],
'high_value_targets': ['Crypto wallets',
'banking apps',
'UPI apps']},
'motivation': ['surveillance', 'financial theft', 'data exfiltration'],
'post_incident_analysis': {'root_causes': 'Commercial availability of '
'spyware, low barrier to entry for '
'cybercriminals, social engineering '
'tactics'},
'references': [{'source': 'Telegram channels (sales, support, updates)'}],
'threat_actor': 'Cybercriminals (via Telegram channels)',
'title': 'ZeroDayRAT: A Rising Mobile Spyware Threat with Global Reach',
'type': 'Spyware'}