A new mobile spyware operation known as ZeroDayRAT has been documented targeting both Android and iOS devices.
The cross-platform tool provides attackers with persistent access to personal communications, precise location data and banking activity.
According to a new advisory published by iVerify, what’s new is the breadth of control offered to operators and how easily infections can be initiated.
To compromise a device, an attacker must simply persuade a victim to install a malicious binary, typically an Android APK or an iOS payload.
Smishing remains the most common lure, with text messages pushing links to fake but convincing apps. Phishing emails, counterfeit app stores and links shared through WhatsApp or Telegram have also been observed.
Device Overview, User Profiling and Financial Theft
Once infected, the first screen presented to an operator is an extensive overview of the device via a dedicated web-based dashboard.
Hardware details, operating system version, battery status, country, SIM and carrier information and lock status are displayed alongside app usage broken down by time.
Recent SMS messages and a live activity timeline appear in the same view, allowing rapid profiling of the user’s habits and contacts.
Scrolling through the overview reveals intercepted messages from banks, mobile carriers and personal contacts. This single panel can show who the user communicates with most, when the device is active and which networks it connects to. From there, operators can pivot into more detailed data streams.
Separate tabs expose additional surveillance capabilities. GPS data is plotted on an embedded Google Maps view with full location history.
Notifications are captured passively, including alerts from WhatsApp, Instagram, Telegram, YouTube, missed calls and system events, without opening any apps.
Read more on mobile spyware: ClayRat Android Spyware Expands Capabilities
ZeroDayRAT also includes dedicated financial theft modules:
-
A crypto stealer that detects wallets and injects attacker-controlled clipboard addresses
-
A banking stealer targeting online banking apps, UPI platforms such as PhonePe and Google Pay and services including Apple Pay and PayPal via overlay attacks
A Persistent and Growing Threat
iVerify said the platform represents a complete mobile compromise toolkit that once required nation-state resources.
It is now marketed through Telegram channels, offering buyers access to a target’s location, messages, finances, camera, microphone and keystrokes across Android and iOS.
iVerify warned that compromised employee devices pose serious risks for credential theft, account takeover and data exfiltration.
“For enterprises, a compromised employee device is a vector for credential theft, account takeover, and data exfiltration,” the team said. “For individuals, it means total loss of privacy and direct financial exposure. Mobile device security needs to be treated with the same urgency as endpoint and email security.”
They added that detecting threats like ZeroDayRAT requires mobile EDR capabilities that extend beyond traditional device management, combining on-device detection, mobile forensics and automated response across both managed and BYOD environments.
