A new mobile spyware platform known as ZeroDayRAT is being marketed through Telegram channels as a subscription-based service that allows buyers to monitor and exploit Android and iOS devices, according to research published by Cyberthint.
The platform is presented as a Malware-as-a-Service (MaaS) offering, providing a web-based control panel that combines surveillance tools with financial theft capabilities. Researchers say the service is built so that even users without technical skills can operate it, showing how cybercrime tools are becoming easier to buy and use.
Smishing campaigns drive infections
According to researchers, the initial access is achieved through social engineering, including victims receiving SMS phishing messages containing links disguised as legitimate apps, updates, or service notifications.
The scam also uses fake app stores, and links distributed through WhatsApp and Telegram are also used to deliver the payload. Cyberthint’s analysis of promotional material shows attackers using multi-stage redirection chains and URL shortening services to conceal malicious destinations. In some cases, links redirect through trusted infrastructure such as GitHub Pages, a tactic commonly used to bypass security filters that rely on domain reputation.
Centralized dashboard enables surveillance
Once installed, the malware connects to a control panel that aggregates device data and monitoring tools. Researchers report that operators can view device information, including model details, carrier data, battery status, and application usage timelines.
The spyware also advertises live tracking and monitoring features. These include GPS location tracking, remote camera and microphone activation, real-time screen recording, and keystroke logging. Such functionality would allow attackers to capture credentials, conversations, and activity across applications.
Built-in tools aimed at financial theft
In addition to surveillance, ZeroDayRAT includes modules focused on monetization. Researchers say the platform scans for cryptocurrency wallet applications such as MetaMask, Trust Wallet, Binance, and Coinbase. Clipboard injection features can replace copied wallet addresses with attacker-controlled ones, redirecting funds during transactions.
The service also claims to target digital payment systems, including Apple Pay, Google Pay, and PayPal, using overlay techniques designed to capture login credentials. Additionally, malware authors also claim to provide access to the victim’s SMS messages, which could allow attackers to intercept one-time passcodes (OTP) and bypass two-factor authentication.
Authenticity questioned after analysis
While the operator reportedly agreed to use escrow services associated with established cybercrime forums, Cyberthint identified inconsistencies that raise doubts about the platform’s legitimacy.
Screenshots shared by the seller included signs that parts of the interface may be staged or generated using AI tools, including a browser tab referencing the creation of USDT wallet addresses. Researchers noted that displayed wallet data appeared static, suggesting the panel may not fully reflect a working system.
The findings leave open the possibility that ZeroDayRAT is either an active threat or an overhyped offering intended to attract buyers.
Part of an increase in mobile-targeted threats
Researchers also pointed to other mobile malware families gaining traction, including Arsink, which uses Google Apps Script infrastructure, the Anatsa banking trojan (aka TeaBot), and NFC-based attacks designed to steal contactless payment data.
The company says the growing number of mobile-focused threats shows the value of smartphones as repositories of financial data, authentication tokens, and personal communications. Therefore, users are advised to avoid opening unknown links delivered through SMS or messaging apps, particularly those involving urgent financial or account-related messages.
Waqas
