A new and sophisticated mobile spyware platform, dubbed ZeroDayRAT, has been discovered, posing a significant threat to both Android and iOS users. This potent toolkit, advertised on Telegram, grants attackers comprehensive remote control over targeted devices, enabling real-time surveillance, extensive data theft, and even financial fraud. Its availability on underground markets lowers the barrier for entry for cybercriminals seeking advanced espionage capabilities.

Key Takeaways

• Full Device Compromise: ZeroDayRAT provides complete remote access to Android (versions 5-16) and iOS (up to version 26) devices.

• Real-Time Surveillance: Enables live camera and microphone feeds, screen recording, and keystroke logging.

• Data Theft: Extracts sensitive information including messages, account credentials, location history, and financial data.

• Financial Fraud: Includes modules for stealing cryptocurrency and banking credentials, and rerouting transactions.

• Accessibility: Marketed on Telegram, requiring no advanced technical expertise from buyers.

How ZeroDayRAT Operates

ZeroDayRAT is distributed through various methods, including phishing links in SMS messages (smishing), malicious apps on third-party stores, fake app marketplaces, and shared files on messaging platforms. Once installed, the spyware provides attackers with a self-hosted panel to manage infected devices.

This panel offers a detailed overview of the victim's device, including model, operating system, battery status, carrier information, and recent SMS messages. It also logs app usage patterns and activity timelines, allowing attackers to profile the user's behavior.

Advanced Surveillance and Data Extraction

Beyond basic data collection, ZeroDayRAT excels in real-time surveillance. Attackers can activate the device's camera and microphone to stream live feeds, effectively turning the phone into a listening and watching device. Keystroke logging captures all user input, including passwords and messages.

The platform also meticulously tracks the victim's location, plotting GPS coordinates and historical data on an embedded Google Maps view. Notifications from various apps, including banking and social media, are intercepted, providing attackers with a constant stream of information.

Financial Theft and Account Takeover

ZeroDayRAT is equipped with modules specifically designed for financial theft. A cryptocurrency stealer targets popular wallets like MetaMask and Binance, employing clipboard injection to reroute transactions to attacker-controlled wallets. A bank stealer module focuses on capturing credentials from online banking apps and payment services like Google Pay and PayPal through overlay attacks.

Furthermore, the spyware enumerates all registered accounts on the device, such as Google, Facebook, and Instagram, along with their associated usernames and emails. This information can be leveraged for account takeovers or targeted social engineering attacks.

A Growing Threat

Security researchers describe ZeroDayRAT as a "complete mobile compromise toolkit," comparable to tools previously requiring nation-state resources. Its cross-platform support and active development make it a rapidly evolving threat. The ease with which it can be acquired and operated on platforms like Telegram significantly lowers the barrier for entry for malicious actors, posing a substantial risk to both individuals and organizations.

Sources

• New ZeroDayRAT Mobile Spyware Enables Real-Time Surveillance and Data Theft, The Hacker News.

• ZeroDayRAT Exploit Targets Android & iOS, Enabling Real-Time Surveillance and Massive Data Theft, GBHackers News.

• iOS and Android users beware: This new spyware kit allows hackers to take full control of your device, ITPro.

• New 'ZeroDayRAT' Spyware Kit Enables Total Compromise of iOS, Android Devices, SecurityWeek.

• ZeroDayRAT malware grants full access to Android, iOS devices, BleepingComputer.