New ZeroDayRAT Mobile Spyware Enables Real-Time Surveillance and Data Theft: A Growing Cybersecurity Threat

Newly Discovered ZeroDayRAT Mobile Spyware Enables Real-Time Surveillance and Data Theft

Cybersecurity researchers have uncovered a new mobile spyware platform, dubbed ZeroDayRAT, which is being marketed on Telegram as a means to capture sensitive data and facilitate real-time surveillance on Android and iOS devices. The platform, which supports Android versions 5 through 16 and iOS versions up to 26, is distributed via social engineering or fake app marketplaces.

Malware Capabilities

Once the malware infects a device, the operator gains access to a wide range of information, including device model, location, operating system, battery status, SIM and carrier details, app usage, notifications, and a preview of recent SMS messages. This information allows the threat actor to profile the victim and gather intelligence on their activities.

The malware also extracts the victim’s current GPS coordinates and plots them on Google Maps, along with a history of their previous locations. This effectively turns the malware into a spyware tool, enabling the threat actor to track the victim’s movements.

The platform’s capabilities include logging keystrokes, gathering SMS messages, and allowing hands-on operations, such as activating real-time surveillance via live camera streaming and microphone feed. This enables the adversary to remotely monitor the victim.

Financial Theft

To facilitate financial theft, the malware incorporates a stealer component that scans for wallet apps, such as MetaMask, Trust Wallet, Binance, and Coinbase, and substitutes wallet addresses copied to the clipboard to reroute transactions to a wallet under the attacker’s control. Additionally, the malware targets online mobile wallet platforms, including Apple Pay, Google Pay, PayPal, and PhonePe.

Evolving Sophistication of Mobile-Focused Cyber Threats

The emergence of ZeroDayRAT highlights the evolving sophistication and persistence of mobile-focused cyber threats. The platform’s commercial availability lowers the barrier of entry for less skilled hackers, enabling them to launch targeted attacks.

In recent weeks, various mobile malware and scam campaigns have come to light, including an Android remote access trojan (RAT) campaign that uses Hugging Face to host and distribute malicious APK files. Another campaign, known as Arsink, uses Google Apps Script for media and file exfiltration to Google Drive, in addition to relying on Firebase and Telegram for command and control (C2).

Other notable campaigns include the distribution of a malicious document reader app, All Document Reader, which acts as an installer for the Anatsa banking trojan, and the deVixor Android banking trojan, which targets Iranian users through phishing websites.

The ShadowRemit campaign, which exploits fake Android apps and pages mimicking Google Play app listings, enables unlicensed cross-border money transfers. Meanwhile, an Android malware campaign targeting users in India abuses the trust associated with government services and official digital platforms to distribute malicious APK files.

These campaigns demonstrate the growing concern of mobile-focused cyber threats, which continue to evolve and adapt to evade detection. As such, it is essential for individuals and organizations to remain vigilant and implement robust security measures to protect against these emerging threats.

About Author

Vaibhav

See author's posts