This new mobile compromise toolkit enables spyware, surveillance, and data theft

A new mobile spyware platform called ZeroDayRAT, claimed to provide full remote control over compromised Android and iOS devices, is being sold openly via Telegram.

According to analysis from iVerify, developers behind the tool run dedicated channels for sales and customer support and give regular updates. Buyers are given a single point of access to a fully operational spyware panel, with full remote control over a user’s Android or iOS device.

Support covers Android 5 through 16 and iOS up to 26, including the iPhone 17 Pro. No technical expertise is required, researchers warned.

"Taken together, this is a complete mobile compromise toolkit, the kind that used to require nation-state investment or bespoke exploit development, now sold on Telegram," the researchers said.

"A single buyer gets full access to a target’s location, messages, finances, camera, microphone, and keystrokes from a browser tab. Cross-platform support and active development make it a growing threat to both individuals and organizations."

How ZeroDayRAT attacks work

Attacks generally start with smishing, researchers said. The victim gets a text with a link, downloads what looks like a legitimate app, and installs it. Phishing emails, fake app stores, and links shared over WhatsApp or Telegram are also being used.

Once a device is infected, the attacker can use an overview tab showing the device model, OS, battery, country, lock status, and SIM and carrier info.

Similarly, dual SIM phone numbers, app usage broken down by time, a live activity timeline, and a preview of recent SMS messages are all displayed on a single screen.

"This screen is enough to profile the infected user: who they talk to, what apps they use most, when they're active, and what network they're on," researchers said. "Scrolling down reveals intercepted messages from banking services, carriers, and personal contacts."

GPS coordinates are pulled and plotted on an embedded Google Maps view with location history, so an operator can track not just where the infected user is, but where they've been.

Notifications - app name, title, content, and timestamp. WhatsApp messages, Instagram notifications, missed calls, Telegram updates, YouTube alerts and system events - are also captured.

Follow-up compromise is a real risk

Notably, an accounts tab enumerates every account registered on the device, such as Google, WhatsApp, Instagram, Facebook, Telegram, Amazon, and Spotify accounts associated with usernames or emails.

This, researchers warned, is basically everything an attacker needs to attempt account takeover or launch targeted social engineering.

"ZeroDayRAT shows how easily an attacker can gain full, real‑time visibility into a mobile device, exposing far more than personal information," commented Matthew Stern, chief security Officer at Hypori.

"The only reliable protection is removing trust from the physical device entirely. By keeping confidential data off the endpoint, organizations ensure that even if spyware takes full control of a device, sensitive information is not accessible.”

FOLLOW US ON SOCIAL MEDIA

Make sure to follow ITPro on Google News to keep tabs on all our latest news, analysis, and reviews.

You can also follow ITPro on LinkedIn, X, Facebook, and BlueSky.