Hackers News Hackers News
  • CyberSecurity News
  • Threats
  • Attacks
  • Vulnerabilities
  • Breaches
  • Comparisons

Social Media

Hackers News Hackers News
  • CyberSecurity News
  • Threats
  • Attacks
  • Vulnerabilities
  • Breaches
  • Comparisons
Search the Site
Popular Searches:
technology Amazon AI
Recent Posts
FCC Bans Chinese Telecom Equipment From Huawei, ZTE, Others Over Security Risks
July 2, 2026
Critical JetBrains Flaws Allow Auth Bypass, Code Execution
July 2, 2026
Critical Microsoft Defender, Sysmon Flaw Lets Attackers Disable Security
July 2, 2026
Home/Threats/ZeroDayRAT malware targets iOS, Android for real-time surveillance
Threats

ZeroDayRAT malware targets iOS, Android for real-time surveillance

Key Takeaways ZeroDayRAT is a newly identified mobile spyware platform active since February 2, 2026. It targets both Android (versions 5-16) and iOS (up to version 26) devices, offering...

Marcus Rodriguez
Marcus Rodriguez
February 16, 2026 4 Min Read
41 0

Key Takeaways

  • ZeroDayRAT is a newly identified mobile spyware platform active since February 2, 2026.
  • It targets both Android (versions 5-16) and iOS (up to version 26) devices, offering cross-platform surveillance capabilities.
  • The malware enables extensive real-time monitoring, including GPS tracking, live camera/microphone feeds, SMS access, and credential theft.
  • Delivery primarily occurs via social engineering tactics like smishing and phishing, leading users to malicious app downloads.
  • Users are advised to exercise caution with unsolicited links, use official app stores, and implement stronger multi-factor authentication.

Sophisticated ZeroDayRAT Spyware Emerges, Targeting iOS and Android for Extensive Surveillance

A new and potent mobile spyware platform, dubbed ZeroDayRAT, has been observed in active deployment since February 2, 2026. This sophisticated threat, openly marketed and sold via Telegram, presents a significant risk to both Android (versions 5 through 16) and iOS devices (up to version 26), offering a unified solution for attackers seeking to compromise a wide range of mobile targets.

Table Of Content

  • Key Takeaways
  • Sophisticated ZeroDayRAT Spyware Emerges, Targeting iOS and Android for Extensive Surveillance
  • Unprecedented Surveillance Capabilities
  • Infection Mechanisms and Delivery
  • Operational Overview
  • What You Should Do

ZeroDayRAT empowers operators with comprehensive control and monitoring capabilities directly from a web-based interface. This centralized control panel facilitates a broad spectrum of surveillance activities, transforming an infected device into a potent espionage tool.

Unprecedented Surveillance Capabilities

The spyware’s feature set is extensive, encompassing real-time GPS tracking, capture of device notifications, and full access to SMS messages, critically including one-time password (OTP) codes. Beyond passive data collection, ZeroDayRAT allows for live camera and microphone feeds, screen recording, and contextual keylogging tied to specific applications. Further enhancing its intrusive nature, the platform can enumerate all accounts registered on the compromised device and includes advanced theft functionalities such as crypto clipboard address swapping and the deployment of banking overlays to harvest credentials.

Researchers at iVerify uncovered ZeroDayRAT during their ongoing analysis of the rapidly expanding market for “ready-to-run” mobile surveillance tools. Their findings indicate that the malware is designed for ease of use, allowing operators to conduct sophisticated attacks without requiring deep technical expertise once the initial installation is complete.

Infection Mechanisms and Delivery

The primary vector for ZeroDayRAT infection relies heavily on social engineering. A common attack chain involves smishing, where malicious text messages deliver links leading to deceptive app downloads. Similar lures can originate from phishing emails, rogue app stores, or links shared across messaging platforms like WhatsApp and Telegram, ultimately tricking users into installing either an Android APK or an iOS payload.

Upon successful installation, ZeroDayRAT provides the operator with a detailed profile of the target. This includes device specifics, SIM and carrier data, application usage patterns, and intercepted communications. The ability to access SMS messages is particularly dangerous, as it exposes SMS-based two-factor authentication codes, significantly increasing the risk of account takeovers and direct financial losses.

ZeroDayRAT's dashboard with two devices, one in India and the US (Source - iVerify)
ZeroDayRAT’s dashboard with two devices, one in India and the US (Source – iVerify)
Live camera, screen recording, and microphone access from a single panel (Source - iVerify)
Live camera, screen recording, and microphone access from a single panel (Source – iVerify)

Operational Overview

The infection process typically begins with a message designed to create a sense of urgency, directing the target to a seemingly legitimate download page. Once the user installs the malicious application, the implant establishes a connection with the operator’s dashboard. From this interface, the attacker can immediately access location history, read notifications, and harvest SMS messages, which often contain critical banking alerts and OTP codes. The dashboard also provides a comprehensive overview, displaying device model, operating system version, lock status, geographical location, and a live activity timeline, enabling rapid and informed targeting decisions.

What You Should Do

  • Treat mobile devices as critical endpoints: Apply the same security vigilance to your phone as you would to a computer.
  • Stick to official app stores: Download applications exclusively from trusted sources like Google Play Store or Apple App Store. Avoid sideloading apps from unknown origins.
  • Verify links cautiously: Before clicking any link received via text message or email, independently verify its legitimacy, especially if it creates urgency or prompts for downloads.
  • Strengthen MFA: Where possible, utilize multi-factor authentication methods that are more robust than SMS-based codes, such as authenticator apps or hardware tokens.
  • Rotate passwords: Immediately change passwords for critical accounts if you suspect any exposure or compromise.
  • Monitor device behavior: Be alert to unusual permission prompts, unexpected battery drain, or the appearance of unknown accessibility services, which can indicate spyware.
  • For organizations: Implement mobile threat monitoring solutions and establish clear protocols for triaging suspected spyware incidents. Rapid reporting and response are crucial for minimizing potential damage.

Disclaimer: HackersRadar reports on cybersecurity threats and incidents for informational and awareness purposes only. We do not engage in hacking activities, data exfiltration, or the hosting or distribution of stolen or leaked information. All content is based on publicly available sources.

Tags:

AttackphishingThreat

Share Article

Marcus Rodriguez

Marcus Rodriguez

Marcus is a security researcher and investigative journalist with expertise in vulnerability research, bug bounties, and cloud security. Since 2017, Marcus has been breaking stories on critical vulnerabilities affecting major platforms. His investigative work has led to the disclosure of numerous security flaws and improved defenses across the industry. Marcus is an active participant in bug bounty programs and has been recognized for responsible disclosure practices. He holds multiple security certifications and regularly speaks at industry events.

Previous Post

CISA Warns of Critical ZLAN ICS Flaws Allowing Complete Device Takeover

Next Post

Critical Airleader RCE Flaw (CVE-2023-41285) Exposes Systems

No Comment! Be the first one.

Leave a Reply Cancel reply

Your email address will not be published. Required fields are marked *

Popular Posts
WinRAR 7.23 Patches Critical Heap Overflow Vulnerability CVE-2024-XXXX
July 2, 2026
Medtronic Confirms Data Breach, Corporate IT Systems Compromised
July 2, 2026
Critical ClamAV Vulnerabilities Let Attackers Trigger DoS
July 2, 2026
Top Authors
Marcus Rodriguez
Marcus Rodriguez
Jennifer sherman
Jennifer sherman
Emy Elsamnoudy
Emy Elsamnoudy
Let's Connect
156k
2.25m
285k

Related Posts

Jennifer sherman
By Jennifer sherman
Threats

GlassWorm Attacks macOS via Malicious VS Code…

January 1, 2026
Emy Elsamnoudy
By Emy Elsamnoudy
Attacks

ClickFix Attack Hides Malicious Code via Stegan Security

January 1, 2026
Sarah simpson
By Sarah simpson
Vulnerabilities

MongoBleed Detector Tool Released to Detect MongoDB Vulnerability(CVE-2025-14847)

January 1, 2026
Emy Elsamnoudy
By Emy Elsamnoudy
Breaches

Conti Ransomware Gang Leaders & Infrastructure Exposed

January 1, 2026
Hackers News Hackers News
  • [email protected]

Quick Links

  • Contact Us
  • Privacy Policy
  • Terms of service

Categories

Attacks
Breaches
Comparisons
CyberSecurity News
Threats
Vulnerabilities

Let's keep in touch

receive fresh updates and breaking cyber news every day and week!

All Rights Reserved by HackersRadar ©2026

Follow Us