ZeroDayRAT malware targets iOS, Android for real-time surveillance
Key Takeaways ZeroDayRAT is a newly identified mobile spyware platform active since February 2, 2026. It targets both Android (versions 5-16) and iOS (up to version 26) devices, offering...
Key Takeaways
- ZeroDayRAT is a newly identified mobile spyware platform active since February 2, 2026.
- It targets both Android (versions 5-16) and iOS (up to version 26) devices, offering cross-platform surveillance capabilities.
- The malware enables extensive real-time monitoring, including GPS tracking, live camera/microphone feeds, SMS access, and credential theft.
- Delivery primarily occurs via social engineering tactics like smishing and phishing, leading users to malicious app downloads.
- Users are advised to exercise caution with unsolicited links, use official app stores, and implement stronger multi-factor authentication.
Sophisticated ZeroDayRAT Spyware Emerges, Targeting iOS and Android for Extensive Surveillance
A new and potent mobile spyware platform, dubbed ZeroDayRAT, has been observed in active deployment since February 2, 2026. This sophisticated threat, openly marketed and sold via Telegram, presents a significant risk to both Android (versions 5 through 16) and iOS devices (up to version 26), offering a unified solution for attackers seeking to compromise a wide range of mobile targets.
Table Of Content
ZeroDayRAT empowers operators with comprehensive control and monitoring capabilities directly from a web-based interface. This centralized control panel facilitates a broad spectrum of surveillance activities, transforming an infected device into a potent espionage tool.
Unprecedented Surveillance Capabilities
The spyware’s feature set is extensive, encompassing real-time GPS tracking, capture of device notifications, and full access to SMS messages, critically including one-time password (OTP) codes. Beyond passive data collection, ZeroDayRAT allows for live camera and microphone feeds, screen recording, and contextual keylogging tied to specific applications. Further enhancing its intrusive nature, the platform can enumerate all accounts registered on the compromised device and includes advanced theft functionalities such as crypto clipboard address swapping and the deployment of banking overlays to harvest credentials.
Researchers at iVerify uncovered ZeroDayRAT during their ongoing analysis of the rapidly expanding market for “ready-to-run” mobile surveillance tools. Their findings indicate that the malware is designed for ease of use, allowing operators to conduct sophisticated attacks without requiring deep technical expertise once the initial installation is complete.
Infection Mechanisms and Delivery
The primary vector for ZeroDayRAT infection relies heavily on social engineering. A common attack chain involves smishing, where malicious text messages deliver links leading to deceptive app downloads. Similar lures can originate from phishing emails, rogue app stores, or links shared across messaging platforms like WhatsApp and Telegram, ultimately tricking users into installing either an Android APK or an iOS payload.
Upon successful installation, ZeroDayRAT provides the operator with a detailed profile of the target. This includes device specifics, SIM and carrier data, application usage patterns, and intercepted communications. The ability to access SMS messages is particularly dangerous, as it exposes SMS-based two-factor authentication codes, significantly increasing the risk of account takeovers and direct financial losses.


Operational Overview
The infection process typically begins with a message designed to create a sense of urgency, directing the target to a seemingly legitimate download page. Once the user installs the malicious application, the implant establishes a connection with the operator’s dashboard. From this interface, the attacker can immediately access location history, read notifications, and harvest SMS messages, which often contain critical banking alerts and OTP codes. The dashboard also provides a comprehensive overview, displaying device model, operating system version, lock status, geographical location, and a live activity timeline, enabling rapid and informed targeting decisions.
What You Should Do
- Treat mobile devices as critical endpoints: Apply the same security vigilance to your phone as you would to a computer.
- Stick to official app stores: Download applications exclusively from trusted sources like Google Play Store or Apple App Store. Avoid sideloading apps from unknown origins.
- Verify links cautiously: Before clicking any link received via text message or email, independently verify its legitimacy, especially if it creates urgency or prompts for downloads.
- Strengthen MFA: Where possible, utilize multi-factor authentication methods that are more robust than SMS-based codes, such as authenticator apps or hardware tokens.
- Rotate passwords: Immediately change passwords for critical accounts if you suspect any exposure or compromise.
- Monitor device behavior: Be alert to unusual permission prompts, unexpected battery drain, or the appearance of unknown accessibility services, which can indicate spyware.
- For organizations: Implement mobile threat monitoring solutions and establish clear protocols for triaging suspected spyware incidents. Rapid reporting and response are crucial for minimizing potential damage.
Disclaimer: HackersRadar reports on cybersecurity threats and incidents for informational and awareness purposes only. We do not engage in hacking activities, data exfiltration, or the hosting or distribution of stolen or leaked information. All content is based on publicly available sources.



No Comment! Be the first one.