Full Report
A new commercial mobile spyware platform dubbed ZeroDayRAT is being advertised to cybercriminals on Telegram as a tool that provides full remote control over compromised Android and iOS devices. [...]
Analysis Summary
# Tool/Technique: ZeroDayRAT
## Overview
ZeroDayRAT is a new commercial mobile spyware platform being advertised to cybercriminals on Telegram. It is designed to provide full remote control over compromised Android and iOS devices, functioning as a complete mobile compromise toolkit capable of surveillance and financial theft.
## Technical Details
- Type: Malware Platform / Spyware Tool
- Platform: Android (versions 5 through 16) and iOS (up to version 26 latest)
- Capabilities: Full remote control, real-time surveillance, data exfiltration, financial theft modules (crypto and banking).
- First Seen: February 2026 (based on article date)
## MITRE ATT&CK Mapping
*Note: Since this is a comprehensive tool, multiple tactics are applicable based on its documented functions.*
- **TA0009 - Collection**
- T1113 - Screen Capture
- T1119 - Operating System Configuration Discovery (Device Info)
- T1056 - Input Capture
- T1056.001 - Keylogging
- T1005 - Data from Local System (SMS, Notifications, Accounts)
- **TA0010 - Exfiltration**
- T1041 - Exfiltration Over C2 Channel (Implied by data management panel)
- **TA0005 - Defense Evasion**
- T1550 - Use Alternate Authentication Material (2FA bypass via OTP interception)
- **TA0007 - Discovery**
- T1416 - Account Discovery (Registered accounts on device)
- T1133 - External Remote Services (Real-time remote access/control)
- **TA0008 - Lateral Movement** (Potential, if compromised employee device leads to enterprise breach)
## Functionality
### Core Capabilities
- **Device Information Gathering:** Logs device models, OS versions, battery status, SIM details, country, and lock state.
- **Data Exfiltration:** Steals SMS message exchanges and application usage logs/activity timelines.
- **Notification/Account Monitoring:** Captures all received notifications and registers accounts (email/user ID) from the infected device.
- **Location Tracking:** Real-time GPS tracking displayed on a Google Maps view, including full location history.
- **Persistence/Control:** Provides operators with a full-featured management panel.
### Advanced Features
- **Remote Media Hijacking:** Activates the front and rear cameras and the microphone for live media feeds.
- **Screen Recording:** Records the victim’s screen to expose secrets.
- **Input Capture:** Keylogging module to capture passwords, gestures, and screen unlock patterns.
- **2FA Bypass:** Captures incoming One-Time Passwords (OTPs) by securing SMS access permission.
- **SMS Spoofing:** Ability to send SMS messages from the victim’s device.
- **Financial Theft (Cryptocurrency):** Wallet app scanner targeting MetaMask, Trust Wallet, Binance, and Coinbase; logs balances/IDs; performs clipboard address injection (replacing legitimate addresses with attacker-controlled ones).
- **Financial Theft (Banking):** Targets online banking apps, UPI platforms (Google Pay, PhonePe), and payment services (Apple Pay, PayPal) using credential theft via overlaying fake screens.
## Indicators of Compromise
- File Hashes: [Not detailed in the article]
- File Names: [Not detailed in the article]
- Registry Keys: [Not detailed in the article, platform-specific for mobile OS]
- Network Indicators: [Advertised on Telegram; C2 infrastructure not detailed]
- Behavioral Indicators: Attempts to gain broad permissions (Location, SMS, Camera, Microphone); clipboard manipulation for financial fraud; creation of overlay screens for banking credential harvesting.
## Associated Threat Actors
- Cybercriminals (advertised platform for use by buyers on Telegram).
## Detection Methods
- Signature-based detection: [Not detailed]
- Behavioral detection: Monitoring for excessive permission usage (camera/mic activation without user interaction), overlay screen behavior on banking/wallet apps, and unusual clipboard activity involving known cryptocurrency wallet addresses.
- YARA rules: [Not detailed]
## Mitigation Strategies
- **User Level:** Only install apps from official app stores (Google Play, Apple Store) from reputable publishers.
- **High-Risk Users:** Enable Lockdown Mode on iOS and Advanced Protection on Android.
- **General:** Revoke unnecessary permissions (especially Camera, Mic, Location, Accessibility, SMS) from installed applications. Monitor for suspicious overlays on financial apps.
## Related Tools/Techniques
- Commercial Mobile Spyware (e.g., Pegasus, Predator, Candiru).
- Tools utilizing overlay attacks for financial theft.