ZeroDayRAT Malware Targets Android and iOS, Stealing Sensitive Data From Millions

The landscape of malware-as-a-service (MaaS) keeps pushing the limits of cybercrime. Researchers at Cyberthint have examined a new mobile spyware called ZeroDayRAT that enables even non-experts to spy like pros. It has been available for purchase on Telegram channels since February 2, 2026, and it is particularly strong on iOS and Android devices.

Attackers receive a single browser-based panel for direct money grabs and real-time monitoring. This toolkit infiltrates victims' physical and digital environments in addition to stealing data. Cyberthint's investigation reveals that it actively markets itself with pricing, escrow options, and demos, fusing sophisticated spying with financial theft. The Mechanisms and Stealthy Spread of ZeroDayRAT ZeroDayRAT begins with straightforward purchases made on Telegram: attackers obtain an iOS payload or an Android APK.

Smishing phony SMS links that look like app updates or legitimate stores is the most common way for infections to spread.

Additionally, attackers use Telegram, WhatsApp, or fake app stores to spread misleading links. It claims to be compatible with iOS 26.2 and Android 16 after installation, indicating a wide audience and continuous updates. Its svelte control panel is where the true power is.

Operators see a complete victim profile after infection, including the model of the device, the battery level, carrier information, the most popular apps, activity timelines, recent calls, and SMS logs. ZeroDayRAT Objectives Mobile Devices (Source: cyberthint) Cyberthint claims that live GPS on Google Maps, including history, increases surveillance. For ambient listening, attackers turn on microphones and cameras facing the front and back. Together with a keylogger that records keystrokes, clipboard information, biometrics, and app switches in milliseconds, screen recording records every movement.

Cyberthint spotted demos where attackers streamed live camera feeds alongside screen grabs, even showing handwritten notes. It is lethal due to financial modules. It scans crypto apps like MetaMask, Trust Wallet, Binance, and Coinbase, using clipboard injection to swap victim addresses with attackers’.

ZeroDayRAT Targets Mobile Devices (Source: cyberthint) Banking hits via overlays on Apple Pay, Google Pay, PayPal, and locals, plus real-time OTP grabs from SMS. Known IOCs include these suspicious domains from demos: Indicator Type Value Notes URL Shortener hxxp://2cm.es/1oDIZ Used in WhatsApp smishing redirects Hosting Domain mhko78-gui.github.io GitHub Pages for phishing payloads Sample Wallet TQ9… (USDT) Static addresses in fake panels This GitHub abuse dodges reputation filters via multi-stage redirects.

Threat Realities, Scam Hazards, and Crucial Elements of Defense At $250 per day, $1,000 per week, and $3,500 per month, ZeroDayRAT mimics elite-state tools that are now offered at low prices. While scammers tend to avoid it, sellers use XSS Forum escrow, a cybercrime staple that indicates legitimacy. Demos use trust-building techniques to demonstrate one-click compromises.

However, warning signs appear: panel screenshots show ChatGPT tabs with static sample addresses, such as "Create USDT Wallet Address." ZeroDayRAT Objectives Mobile Devices (Cyberthint) Although escrow suggests some functionality, this OpSec slip points to a gaudy fake interface. It targets POS theft along with other growing mobile problems like the Arsink RAT, the Anatsa trojan, and NFCShare's Ghost Tap. Businesses and users need to take action.

Any dubious SMS, WhatsApp, or email links should be ignored, especially if they are urgent regarding shipments or bills.

Use hardware keys or app authenticators instead of SMS 2FA. Use mobile EDR/MDM for IOC scans and behavioral checks; standard AV solutions are insufficient.