Lead: Cybersecurity researchers have identified a new commercial spyware called ZeroDayRAT that, according to reports, is being sold openly on Telegram and marketed to criminals with customer support and updates. The tool can reportedly seize full control of both iPhones and Android phones, harvest credentials, intercept SMS-based 2FA codes, activate cameras and microphones, and track victims in real time. The initial sightings were reported at the start of this month by security researchers and security news outlets. At present there are no confirmed large-scale campaigns tied to ZeroDayRAT, but researchers warn the risk is rising.
Key Takeaways
- ZeroDayRAT is described as a commercial mobile spyware platform advertised on Telegram with customer support and regular updates.
- Researchers report the malware can target devices running up-to-date software, including iOS 26 and Android 16, by delivering a malicious binary (APK for Android or payload for iOS).
- The spyware can capture device metadata (model, OS version, SIM info), app usage, SMS, notifications, keystrokes, and clipboard contents.
- It can remotely enable front/rear cameras and the microphone and stream location in real time, including map display of the victim’s position.
- ZeroDayRAT can intercept SMS one-time passwords and perform overlay attacks to steal banking and payment credentials (Apple Pay, Google Pay, PayPal).
- It includes a cryptocurrency-stealer module targeting wallets and platforms such as Coinbase, Binance, MetaMask and Trust Wallet.
- Delivery methods are unconfirmed but researchers highlight SMS phishing/smishing, phishing emails, fake app stores and messaging links as likely vectors.
- No major attacks publicly attributed to ZeroDayRAT have been confirmed yet, but analysts expect opportunistic use by cybercriminals.
Background
Commercial spyware has increasingly shifted from bespoke nation-state tools to commodity products sold to a broader criminal market. That transition lowers the technical barrier for attackers: a complex capability set can be offered through a web dashboard, along with support and updates, enabling less-skilled operators to perform high-impact intrusions. In recent years, malicious Android APKs and iOS payload chains have been distributed through social engineering techniques such as smishing, phishing, and fake app stores.
ZeroDayRAT arrives in that context. Security researchers flagged that it is being openly marketed and maintained, reflecting a broader trend where spyware vendors monetize capabilities previously restricted to elite actors. The availability of features like SMS interception, camera/microphone control, and crypto-stealing modules makes such tools attractive to both financial fraudsters and data harvesters. Regulators and platform vendors have responded to similar threats with mitigations, but new commercial products complicate those efforts.
Main Event
Researchers at iVerify reported encountering ZeroDayRAT advertisements on Telegram at the start of this month, prompting follow-up coverage by security outlets. According to the reporting, the vendor supplies a dashboard for operators to manage infected devices, plus technical support and frequent updates designed to maintain functionality against platform patches. The product is described as a one-stop panel that lists device details, connectivity, and harvested data in real time, simplifying large-scale abuse.
Technical descriptions indicate the malware requires a malicious binary to be installed: an Android APK or an iOS payload. While the exact delivery chains remain unconfirmed, researchers point to SMS phishing (smishing) as the simplest initial infection vector because it can convince users to tap a link and install a package. Other possible distribution channels include phishing emails, fake app markets, and links via messaging apps such as WhatsApp or Telegram.
Once installed, ZeroDayRAT reportedly collects extensive telemetry—battery, SIM, country, lock state—while also recording sensitive content such as messages, notifications, keyboard input, and clipboard data. Attackers can remotely activate cameras and microphones to surveil victims and use GPS to track real-time location, including visualization via mapping services. SMS access can be abused to capture one-time passwords and bypass SMS-based two-factor authentication, enabling account takeover.
The spyware also includes modules tailored to financial theft: overlay attacks to capture banking credentials and a cryptocurrency-stealer that searches an infected device for wallet identifiers and balances on services like Coinbase, Binance, MetaMask and Trust Wallet. The vendor’s dashboard reportedly groups these capabilities so operators can run searches, launch remote commands, and escalate attacks across large device sets.
Analysis & Implications
Commercialization plus accessible delivery methods raises the probability of wider abuse. When a vendor offers product support and updates, the tool’s effective lifespan increases: fixes and feature additions can outpace simple defensive measures. For defenders, that means incident responders and platform owners must assume continued evolution rather than a one-off threat. The economic model — sale or rental to many operators — expands the attacker population beyond technically sophisticated groups.
The ability to bypass SMS-based 2FA is particularly consequential because many consumers and organizations still rely on SMS codes for account recovery and authentication. If SMS interception is successful, attackers can lock users out of email, social media, banking, and crypto accounts. Organizations that depend on SMS for high-risk functions should accelerate migration to phishing-resistant authentication methods (hardware tokens, platform authenticators, or FIDO2 keys).
Platform-level mitigations differ: Android allows third-party apps and thus presents a larger attack surface for unaudited APKs, while Apple’s iOS walled-garden reduces app-based scanning options but is not impermeable to sophisticated payloads when social-engineered installs or exploits exist. The reported claim that the spyware can affect iOS 26 and Android 16 underlines that defenders must remain vigilant even on updated systems. Detection and containment require a mix of user education, platform telemetry monitoring, and endpoint forensic capabilities.
Comparison & Data
| Capability | ZeroDayRAT | Typical impact |
|---|---|---|
| Camera/microphone control | Yes | Real-time surveillance, privacy invasion |
| GPS/location streaming | Yes | Persistent tracking, physical risk |
| SMS interception (2FA) | Yes | Account takeover risk |
| Crypto wallet stealing | Yes (Coinbase, Binance, MetaMask, Trust Wallet) | Direct financial theft |
| Overlay attacks | Yes | Credential harvesting for banking/payments |
The table summarizes reported tool capabilities and their likely consequences. Unlike adware or simple spyware, packages that combine remote control, credential interception, and crypto-targeting can be used for both espionage and direct financial extraction. Defensive teams should map telemetry signals (unexpected camera activation, SMS API access, overlay windows, sudden banking app logins) to these capability categories to prioritize investigation.
Reactions & Quotes
“We first observed ZeroDayRAT being openly sold on Telegram at the start of this month,”
iVerify (security firm report)
“ZeroDayRAT is a commercial mobile spyware platform”
BleepingComputer (security news outlet)
“There are currently no public reports of large campaigns using ZeroDayRAT, but its availability and features make opportunistic attacks likely,”
Tom’s Guide reporting (news outlet)
Unconfirmed
- Exact infection vectors remain unproven; researchers suspect smishing but definitive delivery chains are not publicly confirmed.
- Claims that ZeroDayRAT successfully compromises fully patched iOS 26 and Android 16 are reported by researchers but lack independent public validation.
- The vendor’s pricing, total number of active operators, and any large-scale campaigns tied to the tool have not been independently verified.
Bottom Line
ZeroDayRAT represents a concerning example of spyware being packaged as a commercial product: a full-featured control panel, regular updates, and vendor support make it easier for a wider circle of criminals to carry out intrusive attacks. The combination of SMS interception, remote camera/microphone control, location tracking, and crypto-theft modules elevates both privacy and financial risks for infected users.
Immediate precautions for consumers include avoiding links from unknown senders (particularly in SMS), not sideloading apps from outside official stores on Android, and adopting phishing-resistant authentication where possible. Organizations should accelerate migration away from SMS-based 2FA for high-risk operations, monitor device telemetry for suspicious behavior, and ensure incident response processes can rapidly isolate compromised endpoints. Continued reporting and coordinated mitigations from platform vendors and security firms will be key to limiting ZeroDayRAT’s impact.
Sources
- Tom’s Guide — news outlet (original coverage)
- BleepingComputer — security news outlet (related reporting)
- iVerify — security firm (research and initial discovery)