Cybersecurity researchers have revealed details of a new mobile spyware platform called ZeroDayRAT that is being promoted on Telegram as a way to obtain sensitive data and facilitate real-time surveillance on Android and iOS devices.
“Developers operate dedicated channels for sales, customer support, and regular updates, giving buyers a single point of access to a fully operational spyware panel,” said Daniel Kelly, a security researcher at iVerify. “This platform extends beyond normal data collection to real-time surveillance and direct financial theft.”
ZeroDayRAT is designed to support Android versions 5 to 16 and up to iOS version 26. The malware is assessed to be distributed via social engineering or fake app marketplaces. The malicious binaries are generated through a builder provided with an online panel that buyers can set up on their own servers.
Once the malware has infected the device, operators will be able to see all details through a self-hosted panel, including model, location, operating system, battery status, SIM, carrier details, app usage, notifications, and previews of recent SMS messages. This information allows attackers to profile their victims and gather details about who they are talking to and the apps they use most.
The panel also extracts their current GPS coordinates and plots them on Google Maps, and also records a history of all the places they visit over time, effectively turning them into spyware.
“One of the more problematic panels is the Accounts tab,” Kelly added. “It enumerates all accounts registered on your device, including Google, WhatsApp, Instagram, Facebook, Telegram, Amazon, Flipkart, PhonePe, Paytm, Spotify, etc., each with an associated username or email.”
Other features of ZeroDayRAT include logging keystrokes and collecting SMS messages, including one-time passwords (OTPs) that disable two-factor authentication. It also enables practical operations, such as activating real-time surveillance via live camera streaming and microphone feeds, allowing adversaries to remotely monitor their victims.
To enable financial theft, the malware includes a stealer component that scans wallet apps such as MetaMask, Trust Wallet, Binance, and Coinbase, replaces wallet addresses copied to the clipboard, and reroutes transactions to wallets under the attacker’s control.
There are also bank stealer modules that target online mobile wallet platforms such as Apple Pay, Google Pay, and PayPal. PhonePe is an Indian digital payments application that enables instant money transfers using the Unified Payments Interface (UPI), a protocol that facilitates peer-to-peer and person-to-person transactions between banks.
“In summary, this is a complete mobile compromise toolkit, the kind of toolkit that previously required state investment and bespoke exploit development, and is now being sold on Telegram,” Kelly said. “A single buyer has complete access to a target’s location, messages, finances, camera, microphone, and keystrokes from a browser tab. Cross-platform support and active development increase the threat to both individuals and organizations.”
The ZeroDayRAT malware is similar to many others that target mobile device users through phishing and infiltration of official app marketplaces. Over the past few years, malicious actors have repeatedly found different ways to circumvent the security protections put in place by Apple and Google to trick users into installing malicious apps.
Attacks targeting Apple’s iOS typically leverage enterprise provisioning features that allow organizations to install apps without having to publish them to the App Store. Marketing tools that combine spyware, surveillance, and information theft capabilities further lowers the barrier to entry for less skilled hackers. It also highlights the evolution and persistence of mobile-focused cyber threats.
The news of commercial spyware platforms coincides with the emergence of a variety of mobile malware and fraud campaigns that have come to light in recent weeks.
The Android Remote Access Trojan (RAT) campaign used Hugging Face to host and distribute malicious APK files. The infection chain begins when a user downloads a seemingly harmless dropper app (such as TrustBastion), which when opened prompts the user to install an update, which downloads an APK file hosted on Hugging Face. The malware then requests access to accessibility permissions and other sensitive controls to enable surveillance and credential theft. In addition to relying on C2’s Firebase and Telegram, the Android RAT known as Arsink was found to use Google Apps Script to exfiltrate files to media and Google Drive. The malware, which allows data theft and full remote control, impersonates a variety of popular brands and is distributed via Telegram, Discord, and MediaFire links. Alcin infections are concentrated in Egypt, Indonesia, Iraq, Yemen, and Turkiye. A document reader app named All Document Reader (package name: com.recursivestd.highlogic.stellargrid) uploaded to the Google Play Store has been flagged for acting as an installer for the Anatsa (also known as TeaBot and Toddler) banking Trojan. The app garnered over 50,000 downloads before being removed. An Android banking Trojan called deVixor has been actively targeting users in Iran since October 2025 through phishing websites masquerading as legitimate automotive companies. The malware contains a remotely launched ransomware module that can not only collect sensitive information but also lock the device and demand a cryptocurrency payment. We use Google Firebase for command delivery and Telegram-based bot infrastructure for management. The malicious campaign, codenamed “ShadowRemit,” leveraged fake Android apps and pages that mimic Google Play app listings to enable unauthorized cross-border money transfers. These fake pages have been found promoting unauthorized APKs as a reliable money transfer service with zero fees and improved exchange rates. “Victims are instructed to remit payments to beneficiary accounts/e-wallet endpoints and submit screenshots of transactions as proof of verification,” CTM360 said. “This approach allows us to circumvent regulated money transfer channels and is consistent with the Rava account collection pattern.” An Android malware campaign targeting users in India exploited trust associated with government services and official digital platforms to distribute malicious APK files through WhatsApp, leading to the deployment of malware capable of stealing data, establishing persistent control, and running cryptocurrency miners. Operators of an Android trojan and cybercriminal tool called Triada have been observed using phishing landing pages disguised as Chrome browser updates to trick users into downloading malicious APK files hosted on GitHub. According to Alex’s analysis, attackers have been “actively taking over long-standing, fully verified advertiser accounts in order to distribute malicious redirects.” WhatApp-oriented fraud campaigns utilize video calls, where attackers pose as bank representatives or meta support, instruct you to share your phone screen to address fraudulent charges on your credit card, and install legitimate remote access apps such as AnyDesk or TeamViewer to steal sensitive data. The Android spyware campaign targeted individuals in Pakistan using romance scam tactics to distribute a malicious dating chat app called GhostChat and steal victims’ data. It is currently unknown how the malware is distributed. The attackers behind this operation are also suspected of running the ClickFix attack, which infects victims’ computers with a DLL payload that can collect system metadata and execute commands issued by external servers, as well as a WhatsApp device-linking attack called GhostPairing to gain access to WhatsApp accounts. A new family of Android click-fraud Trojans called Phantom was discovered to leverage the JavaScript machine learning library TensorFlow.js to automatically detect and manipulate certain ad elements on sites loaded into hidden WebViews. Another “signaling” mode uses WebRTC to stream a live video feed of a virtual browser screen to an attacker’s server, allowing clicks, scrolling, or text input. The malware is distributed through mobile games published on Xiaomi’s GetApps store and other unofficial third-party app stores. An Android malware family called NFCShare is distributed through a Deutsche Bank phishing campaign that tricks users into installing a malicious APK file (‘deutsche.apk’) disguised as an update, which reads and exfiltrates NFC card data to a remote WebSocket endpoint. The malware shares similarities with the NFC relay malware family, including NGate, ZNFC, SuperCard
Group-IB said in a report released last month that it has witnessed a surge in NFC-enabled Android tap-to-pay malware, most of which is being promoted within the Chinese cybercrime community on Telegram. NFC-based relay technology is also known as Ghost Tap.
“From November 2024 to August 2025, at least $355,000 in fraudulent transactions were recorded from one POS vendor alone,” the Singapore-based cybersecurity firm said. “In another scenario observed, mobile wallets preloaded with compromised cards are used by mules around the world to make purchases.”
Group-IB also said it has identified three major vendors of Android NFC relay apps, including TX-NFC, X-NFC and NFU Pay, and said TX-NFC has gained over 25,000 subscribers on Telegram since its launch in early January 2025. X-NFC and NFU Pay have over 5,000 and 600 subscribers respectively on their messaging platforms.
The ultimate goal of these attacks is to trick victims into installing NFC-enabled malware to eavesdrop on physical payment cards on their smartphones, capturing transaction data and relaying it to cybercriminal devices via attacker-controlled servers. This is accomplished through a dedicated app installed on the Money Mule’s device, completing payments and cash conversions as if the victim’s card were physically present.
Citing growing concerns about tap-to-pay fraud, Group-IB said it observed a steady increase in the detection of malware artifacts from May 2024 to December 2025, adding: “At the same time, different families and variants have emerged, while older ones remain active.” “This shows that this technology is widespread among fraudsters.”
Source link
