ZeroDayRAT malware grants full access to Android, iOS devices

A new commercial mobile spyware platform dubbed ZeroDayRAT is being advertised to cybercriminals on Telegram as a tool that provides full remote control over compromised Android and iOS devices.

The malware provides buyers with a full-featured panel for managing infected devices, reportedly supporting Android 5 through 16 and iOS up to version 26 latest.

Researchers at mobile threat hunting company iVerify say that ZeroDayRAT not just steals data but also enables real-time surveillance and financial theft.

The dashboard shows compromised devices and information about the model, operating system version, battery status, SIM details, country, and lock state.

The malware can log app usage, activity timelines, SMS message exchanges, and provides an overview to the operator.

Other tracking tabs on the dashboard display all received notifications, and also registered accounts on the infected device, showing email/user ID, potentially enabling brute-forcing and credential stuffing.

If GPS access is secured, the malware can also track the victim in real time and draw their current position on a Google Maps view, with full location history.

Apart from passive data logging, ZeroDayRAT also supports active hands-on operations, such as activating the device’s cameras (front and rear) and microphone to gain access to a live media feed, or recording the victim’s screen to expose other secrets.

Moreover, if the SMS access permission is secured, the malware can capture incoming one-time passwords (OTPs), enabling 2FA bypass, and also send SMS from the victim’s device.

The malware developer also included a keylogging module that can capture user input, like passwords, gestures, or screen unlock patterns.

Further financial theft is enabled through a cryptocurrency stealer module. The researchers found that the component activates a wallet app scanner looking for MetaMask, Trust Wallet, Binance, and Coinbase, logs wallet IDs and balances, and attempts clipboard address injection, replacing copied wallet addresses with attacker-controlled ones.

The bank stealer targets online banking apps, UPI platforms like Google Pay and PhonePe, and payment services such as Apple Pay and PayPal. Credential theft occurs by overlaying fake screens.

iVerify does not detail how the malware is delivered but say that ZeroDayRAT “is a complete mobile compromise toolkit.” The researchers warn that a compromised employee device could lead to enterprise breaches.

For an individual, a ZeroDayRAT compromise could expose their privacy and lead to financial losses.

Users are recommended to only trust the official app stores, Google Play on Android and Apple Store on iOS, and install apps from reputable publishers. High-risk users should consider enabling Lockdown Mode on iOS and Advanced Protection on Android.

The future of IT infrastructure is here

Modern IT infrastructure moves faster than manual workflows can handle.

In this new Tines guide, learn how your team can reduce hidden manual delays, improve reliability through automated response, and build and scale intelligent workflows on top of tools you already use.

Get the guide