ZeroDayRAT: the new era of mobile spyware that turns your phone into a camera, microphone and fraud weapon

Details about a new mobile spyware platform called ZeroDayRAT have recently come to light, which is openly marketed on Telegram channels as a ready tool for spying Android and iPhone phones. Security researchers have tracked the ads and product operation: developers not only sell the malicious binary, but also offer a builder and a web panel that the buyer can deploy on their own server, as well as support and periodic updates. In practice, it is a suite that turns a compromised mobile into a continuous data source and a remote camera and microphone controllable from a browser. For a technical explanation and full analysis, see iVerify's report documenting the threat: iVerify - Breaking down ZeroDayRAT.

ZeroDayRAT, according to the analysis available, supports a wide range of versions of Android and iOS, and its most common input vector are not sophisticated exploits but social engineering tactics: false applications in unofficial stores, misleading download pages, or installers who pose as legitimate utilities. Once installed, the software reports to the attacker's panel full information on the device - model, operating system, battery status, operator and SIM details - and offers prior views of messages, application use and other metadata that allow a detailed profile of the victim.

In addition to recording metadata, ZeroDayRAT incorporates real-time surveillance intrusive functions: GPS location on maps, location history, camera and microphone transmission, and key log. That combination makes the phone a permanent espionage tool, not just a vector for the theft of credentials. The panel also lists the accounts recorded on the device - mail and social networks - which makes it easier for the attacker to identify valuable services to continue to exploit or monetize the stolen information.

The range of capabilities also includes components designed for financial fraud. A module detects wallet applications and changes the copied addresses to the clipboard to redirect transfers to accounts controlled by the attacker. Another module focuses on mobile payment services and banks, targeting popular platforms, including local applications with large adoption in specific regions. In the case of India, for example, researchers noted that malware seeks to enable UPI-related fraud - the instant payment infrastructure -; to understand that system, the NPCI documentation on UPI can be consulted: NPCI - UPI.

In the current criminal ecosystem, ZeroDayRAT does not arise in isolation; it is framed in a wave of malware families and campaigns that have exploited different distribution routes and abused legitimate services to house or spread payloads. In recent weeks, for example, a campaign has been published that Hugging Face used to distribute malicious chargers that then downloaded an APK asking for accessibility permits to control the device. This case and its methodology were described by Bitdefender: Bitdefender - Android RAT campaign.

The proliferation of remote control tools and Trojan for Android has grown and diversified its methods. Families like Arsink have combined cloud services and messaging platforms for command and control, while other Trojans have managed to sneak into official stores or in verified ads through maldumping campaigns. Zimperium and other laboratories have documented variants using Google Apps Script, Firebase and Telegram channels to orchestrate exfiltration and remote administration: Zimperium - Arsink.

The fact that complete intrusion kits are sold as a product raises a social and technical problem. Before, a certain level of sophistication focused on zero-day exploits or custom infrastructure was necessary to achieve persistent remote surveillance; today, a buyer with modest resources can acquire a solution that integrates espionage, theft of credentials and ability to divert money. This change reduces the entry barrier and multiplies the actors with the ability to cause damage.

The phenomenon is not limited to traditional spyware: campaigns have emerged that use inoculated-looking applications to act as bank Trojan installers, networks of false remittances that recruit mules, and NFC tools that allow clone or relay payment transactions with the phone. Recent reports from companies such as Group-IB and CTM360 describe how attackers have marketed applications and services to facilitate payment fraud and money collection, showing that some Telegram markets concentrate thousands of subscribers interested in such solutions: Group-IB - Ghost Tapped and CTM360 - ShadowRemit.

Cases have also been detected in which apparently legitimate applications uploaded to official stores acted as entry doors for bank malware, with thousands of downloads before being removed. These incidents stress that it is not enough to look only at sources outside official ecosystems: the attackers exploit trust and the distribution chain. Examples and analysis of malicious applications in stores or replying Play Store pages have been published by several security firms.

In the face of this scenario, the preventive part lies with both manufacturers and app stores and the user. Keep the operating system and applications up to date, avoid installing APKS from unverified origins, review the permissions you request an app and distrust messages that urge you to install "updates" outside official channels remains basic. For high-risk environments, it is recommended to use more robust authentication mechanisms than SMS - such as physical keys or authentication applications - and to activate unusual activity alerts on sensitive accounts. Apple documents how business supply works and why it can be a risk vector when it is abused: Apple - Installing profiles on devices. Google also offers guides on how Play Protect works and how to reduce risks on Android: Google Play Protect.

The technological and legal response must also evolve. The technical indicators and command tables published by response teams can help detect known artifacts, but the crime economy - now enabled by shops in Telegram and other platforms - demands coordinated measures between cloud service providers, operating systems manufacturers, messaging platforms and security forces. Independent public reports and analyses, such as iVerify, Bitdefender or Group-IB, are key pieces for administrators and journalists to understand and spread the threat: iVerify, Bitdefender, Group-IB.

If you are a user, the practical recommendation is not to lower your guard: check the source of the applications, mistrust links received by messaging that ask to install software, regularly review the list of installed applications and the permits granted, and use additional protection for your financial accounts. If you suspect that a device may be compromised, it is wise to isolate it from sensitive networks, change passwords from a clean device and seek help from professionals or security providers. Reports documenting specific cases and techniques used can help you identify patterns and adopt more accurate defenses; for additional readings on recent campaigns you can consult analysis such as those of Zimperium, WeLiveSecurity and AdEx - Triada.

The conclusion is clear: the mobile threat is no longer just a matter of isolated invasive applications, but a tool market where surveillance, theft and fraud are sold. Understanding how these platforms operate and implementing basic digital hygiene measures is today the best defense for users and organizations.