ZeroDayRAT the mobile spyware that offers almost total remote control over Android and iPhone

A new commercial mobile espionage named ZeroDayRAT is being offered to cybercrime buyers through channels in Telegram, and researchers warn that it is not an amateur tool: it offers its operators almost total remote control over Android and iPhone devices, with a panel designed to manage victims as if they were "devices on a botnet."

The technical description disseminated by the researchers points out that the control panel shows, among other data, the model of the device, the version of the operating system, the battery state, details of the SIM, the country and if the phone is blocked, which makes it easier to prioritize objectives and execute actions in real time. In addition to the passive information record - application usage history, activity time lines, SMS messages, notifications received and accounts recorded on the phone -, ZeroDayRAT incorporates active monitoring functions: live and historical location on a map, remote activation of cameras and microphone to get live streaming, screen recording and a keylogging module capable of capturing passwords, gestures and unlocking patterns.

The capabilities described are not merely invasive; they are also lucrative for the attacker. According to the analysis cited by the specialized press, malware includes modules oriented to financial theft: a "crypto stealer" that scans portfolio applications such as MetaMask, Trust Wallet, Binance or Coinbase to record identifiers and balances, and that attempts to modify addresses on the clipboard hijacking to divert transfers; and a "bank stealer" that points to bank apps, UPI platforms and payment services such as Apple Pay or PayPal, using false overlapping screens to capture credentials.

Another particularly dangerous function is the interception of SMS messages: with access to these messages the attacker can capture single-use verification codes (OTP) and thus avoid authentication of two SMS-based factors. Facilities for sending SMS from the compromised device have also been documented, opening vectors for fraud and supplanting.

The researchers who gave the alarm voice - whose findings were collected by specialized media - describe ZeroDayRAT as a "complete mobile engagement kit" and warn that the infection of a personal phone or, worse still, an employee's team could become the gateway to a larger gap in corporate environments. The material available does not accurately detail the delivery vector, although by the nature of the market where it is sold (closed channels and Telegram) and by the sophistication of the functions, it is likely that social engineering techniques, fraudulent apps or targeted campaigns will be used to achieve the installation.

It is appropriate to put in context the statements: the marketing of this type of tools sometimes exaggerates compatibility or capabilities. For example, some descriptions list versions of systems with uncredible figures; that does not subtract the real risk, but it does require reading the full technical reports. For those looking for more immediate information on the finding and publication of analysts, see the follow-up in cybersecurity media such as BleepingComputer, which collects the initial report and technical details observed by the researchers: BleepingComputer - ZeroDayRAT.

What can users and companies do to reduce risk? First, apply basic but effective measures: download applications only from official stores and trustworthy editors, keep the operating system and apps up-to-date and carefully review the permissions requested by each application (access to SMS, camera, microphone, and accessibility functions should be activated only when necessary). Users with higher exposure - journalists, activists, security personnel or finance - should consider additional protections: Apple offers Lockdown (Lockdown Mode) for high-risk cases, and Google promotes its Advanced Account Protection Program as a barrier to targeted attacks; both approaches are designed to increase resistance to sophisticated vectors: Apple - Lockdown Mode and Google - Advanced Protection Program.

Organizations should treat mobile phones as potential critical entry points. Mobile device management (MDM), strict network access policies, segmentation of the corporate environment and detection and response solutions for mobile endpoints help mitigate the impact of a possible invasion. For practical guides and general recommendations on mobile safety, the US Infrastructure and Cybersecurity Safety Agency. USA (CISA) offers publications and resources applicable to users and administrators: CISA - Mobile Device Security.

I conclude with a note of prudence: the commercial spyware ecosystem and markets in Telegram and similar platforms have facilitated the professionalization of digital crime; tools such as ZeroDayRAT, when they exist in reality, reduce the technical barrier for economic or political actors. The defense does not depend only on an app or a configuration: it is a combination of corporate habits, tools and policies that, together, significantly increase the difficulty for a malicious operator to turn a phone into a surveillance source or a remote register box.

If you want, I can summarize the concrete actions you need to review on your phone right now, step by step, or prepare a version of the article focused on security officials in companies with recommended technical and operational measures.