Full Report
Cybersecurity researchers have disclosed details of a new mobile spyware platform dubbed ZeroDayRAT that's being advertised on Telegram as a way to grab sensitive data and facilitate real-time surveillance on Android and iOS devices. "The developer runs dedicated channels for sales, customer support, and regular updates, giving buyers a single point of access to a fully operational spyware
Analysis Summary
# Tool/Technique: ZeroDayRAT
## Overview
ZeroDayRAT is a sophisticated cross-platform mobile spyware and "Commercial-Off-The-Shelf" (COTS) surveillance platform advertised on Telegram. It functions as a comprehensive toolkit that enables remote monitoring, data exfiltration, and financial theft. The platform is sold via a Malware-as-a-Service (MaaS) model, providing buyers with a malware builder and a self-hosted command-and-control (C2) panel.
## Technical Details
- **Type:** Mobile Spyware / Remote Access Trojan (RAT) / Infostealer
- **Platform:** Android (v5 through v16) and iOS (up to v26 [Note: Version number likely refers to future-proofing or projected compatibility])
- **Capabilities:** Real-time surveillance, keylogging, financial theft (address swapping), and account enumeration.
- **First Seen:** Reported February 2026
## MITRE ATT&CK Mapping
- **[TA0027 - Persistence]**
- [T1398 - Boot or Logon Initialization Scripts]
- **[TA0029 - Collection]**
- [T1430 - Accessing Audio Mic]
- [T1512 - Accessing Video Camera]
- [T1417 - Input Capture (Keylogging)]
- [T1433 - Accessing Call Log / SMS]
- **[TA0030 - Exfiltration]**
- [T1437 - Standard Application Layer Protocol]
- **[TA0032 - Credential Access]**
- [T1517 - Two-Factor Authentication Barring (OTP Interception)]
- **[TA0033 - Lateral Movement / Financial Theft]**
- [T1418 - Software Discovery (Wallet apps)]
## Functionality
### Core Capabilities
- **Information Gathering:** Collects device model, OS version, battery status, SIM/carrier details, and real-time app usage notifications.
- **Location Tracking:** Extracts current GPS coordinates and maintains a historical log of movements visualized on Google Maps.
- **Communication Interception:** Reads SMS messages and logs incoming notifications; specifically targets OTPs to bypass 2FA.
- **Account Enumeration:** Scans for and identifies users logged into Google, WhatsApp, Instagram, Facebook, Telegram, Amazon, Flipkart, PhonePe, Paytm, and Spotify.
### Advanced Features
- **Real-time Surveillance:** Facilitates "hands-on" operations including live streaming from the device camera and remote microphone activation.
- **Financial Stealer Module:**
- **Clipboard Hijacking:** Detects crypto wallet addresses (MetaMask, Coinbase, etc.) in the clipboard and replaces them with the attacker's address.
- **Payment App Targeting:** Specifically targets UPI-based apps like PhonePe and digital wallets like Apple/Google Pay and PayPal.
- **Cross-Platform Builder:** Provides operators with a builder tool to generate malicious binaries for both major mobile ecosystems.
## Indicators of Compromise
*Note: Specific hashes and domains were not provided in the source text; metrics below reflect behavioral and procedural indicators.*
- **File Names:** Likely masquerades as legitimate applications (Social Media, Utilities, or Banking apps).
- **Network Indicators:**
- Communication with self-hosted C2 panels.
- Traffic to Telegram API (for sales/support channels).
- **Behavioral Indicators:**
- Requests for excessive permissions (Accessibility Services, SMS access, Camera/Microphone).
- Background processes maintaining active network connections to non-standard ports.
- Modification of clipboard content when strings matching crypto address patterns are detected.
## Associated Threat Actors
- Distributed primarily via **Telegram-based cybercrime underground** developers.
- Used by various low-to-mid-tier threat actors and financial fraudsters due to its accessible MaaS model.
## Detection Methods
- **Behavioral Detection:** Monitoring for apps requesting high-risk permission combinations (e.g., Accessibility Services + SMS).
- **Network Monitoring:** Detection of outbound traffic to known dynamic DNS providers or suspicious self-hosted VPS IPs used for C2 panels.
- **Application Sanity:** Identifying iOS apps signed with "Enterprise Provisioning" profiles from unknown or unverified organizations.
## Mitigation Strategies
- **For Organizations:** Prevent the installation of applications via Enterprise Profiles (MDM policies) for iOS and disable "Sideloading" on Android.
- **For Individuals:** Avoid downloading apps from third-party marketplaces or links received via social engineering (SMS/Telegram/WhatsApp).
- **System Hardening:** Regularly update mobile OS to the latest security patch level and use mobile security software (MTP/MTD) that monitors for clipboard manipulation.
## Related Tools/Techniques
- **SpyNote / CypherRAT:** Similar Android-based RATs sold on underground forums.
- **MassJacker:** Malware utilizing similar clipboard substitution techniques for financial theft.
- **Pegasus / Predator:** While ZeroDayRAT is "commercial grade," its feature set mimics higher-tier surveillance tools.