Recent research by mobile security provider iVerify has identified "ZeroDayRAT," a malware family that integrates spyware, surveillance, and information-stealing functions into a single package. Currently distributed via Telegram, this tool is marketed to financially motivated actors and includes a service model featuring direct developer access, sales channels, and platform updates.
Distribution and Installation Vectors
ZeroDayRAT effects compromise through malicious binaries—specifically APK files for Android and payloads for iOS. Deployment typically relies on social engineering rather than automated exploitation. According to iVerify threat researcher Daniel Kelley, the primary distribution vector is smishing (SMS phishing), where a targeted user receives a text message containing a link to download an application masquerading as legitimate software.
Alternative delivery channels identified include phishing emails, fraudulent application stores, and links distributed through messaging platforms such as WhatsApp or Telegram.
Technical Capabilities and Data Exposure
Upon installation, ZeroDayRAT provides the operator with extensive visibility into the device's configuration and the user's digital footprint. The malware does not require advanced technical expertise to operate, lowering the barrier to entry for effective surveillance.
The tool aggregates device metadata, including model specifications, SIM card details, carrier information, and real-time location data. It also generates an activity timeline and provides previews of recent SMS communications. Additionally, the malware enumerates all accounts registered on the device, such as Google, Amazon, and various social media platforms, creating a comprehensive profile of the user's digital identity.
Real-Time Surveillance and Financial Risk
The malware's capabilities extend beyond static data collection to real-time monitoring. Features include:
MFA Bypass: The tool enables full control over SMS functionality, including the ability to send messages. This allows operators to intercept One-Time Passwords (OTPs), effectively bypassing SMS-based multifactor authentication.
Audio/Visual Monitoring: The malware can access microphone feeds, record screen activity, and log keystrokes.
Financial Exfiltration: Specialized modules target banking applications and cryptocurrency wallets, aiming to capture credentials and financial assets.
Kelley describes the tool as "textbook stalkerware." While it may not utilize the bespoke zero-day exploits characteristic of nation-state campaigns, its feature set mimics commercial surveillance software. This creates significant privacy risks for high-profile targets such as journalists and activists, as well as financial risks for general users.
Implications for Enterprise Security
The emergence of ZeroDayRAT presents a specific challenge for organizations with remote workforces or Bring Your Own Device (BYOD) policies. If an employee device is compromised, it becomes a potential entry point for credential theft and data exfiltration.
"For enterprises, a compromised employee device is a vector for credential theft, account takeover, and data exfiltration," the research notes. "Mobile device security needs to be treated with the same urgency as endpoint and email security."
Market Positioning and Threat Scene
The malware is marketed at approximately $2,000 for full access. This price point places it above low-level "script kiddie" tools, suggesting a target market of well-resourced criminals or private investigators. The operators claim support for Android versions 5 through 16 and iOS versions up to 26—a claim that likely indicates future-proofing marketing rather than current technical reality given current OS versioning.
Andrew Costis, engineering manager at AttackIQ, notes that this tool represents a convergence of high-level capabilities with criminal economics. Features previously associated with targeted intelligence operations are becoming commoditized. While small-to-medium businesses and individuals are the immediate targets, the tooling poses a supply-chain and executive targeting risk for larger enterprises.
Protective Measures
To mitigate the risks associated with ZeroDayRAT and similar mobile threats, organizations should consider the following defensive strategies:
Mobile Endpoint Security: Deploy mobile-specific security tools capable of detecting anomalous application behavior.
Strict App Vetting: Enforce policies that restrict application installation to official, verified sources.
User Awareness: Educate workforce members on social engineering tactics, specifically smishing and the risks of downloading unverified binaries from messaging apps.