ZeroDayRAT: The New Mobile Spyware Taking Cybercrime to New Heights

In the ever-evolving world of cybercrime, new threats are emerging at an alarming rate. One of the latest and most concerning of these is a mobile spyware known as ZeroDayRAT. First discovered by Cyberthint researchers, this malware is changing the game in terms of what cybercriminals can do with minimal expertise. Sold openly on Telegram since February 2, 2026, it targets both Android and iOS devices, providing attackers with a powerful tool to monitor and steal from victims in real time. Here’s a closer look at the ZeroDayRAT malware, its mechanics, and the growing threat it poses.

ZeroDayRAT’s Stealthy Infiltration and Dangers

ZeroDayRAT is marketed and sold openly on Telegram, where it can be easily accessed by anyone willing to pay for it. The malware comes in the form of an APK for Android or a payload for iOS, and its primary method of spreading is through smishing — fake SMS messages that trick users into clicking on malicious links. These links often masquerade as app updates or legitimate offers, leading to the infection of the victim’s device.

Once installed, the malware allows attackers to take full control of the device. Through a sleek, browser-based control panel, cybercriminals can monitor their victims’ every move. The panel provides a detailed profile of the infected device, including the device model, battery level, carrier details, and activity logs. In addition to this, the malware allows attackers to track the victim’s GPS location in real-time, access front and rear cameras, and even listen in on conversations through the device’s microphone.

But ZeroDayRAT doesn’t stop there. It also includes keylogging functionality, capturing every keystroke, clipboard entry, and app interaction in milliseconds. The malware even has the ability to record screens and capture handwritten notes, making it a potent surveillance tool.

The Financial Threat: Crypto and Banking Exploits

What makes ZeroDayRAT particularly dangerous is its ability to target financial apps. The malware scans for popular cryptocurrency wallets such as MetaMask, Trust Wallet, Binance, and Coinbase, swapping out the victim’s crypto wallet address with the attacker’s. It also uses banking overlays on Apple Pay, Google Pay, and PayPal, and can capture one-time passcodes (OTPs) via SMS, enabling attackers to carry out real-time financial theft.

The attack is sophisticated enough to bypass typical security measures, such as two-factor authentication (2FA) via SMS. The malware even uses GitHub Pages to host phishing payloads, making it harder for security systems to detect the threat. The toolkit is sold in various pricing tiers: daily access costs $250, weekly access is $1,000, and monthly access is available for $3,500, making it accessible to a wide range of cybercriminals.

What Undercode Say: A Deep Dive into the Growing Threat of ZeroDayRAT

The rise of Malware-as-a-Service (MaaS) platforms like ZeroDayRAT marks a significant shift in the landscape of cybercrime. These platforms allow even low-skilled individuals to carry out highly sophisticated cyberattacks with little technical knowledge. While ZeroDayRAT is currently one of the most advanced mobile spyware tools available, it is part of a larger trend of increasingly accessible cybercrime services.

The ability for cybercriminals to purchase and deploy such advanced malware easily is a worrying development. The malware’s ability to not only spy on victims but also to engage in financial theft and crypto-wallet hijacking reflects how cybercrime is becoming more sophisticated and harder to defend against. The pricing model used by ZeroDayRAT also signals that cybercrime is no longer a niche industry; it is now a business, complete with tools and services available for purchase by anyone.

What makes this even more concerning is the use of social engineering tactics, such as smishing and fake app updates, to trick users into downloading the malware. As cybercriminals become more adept at exploiting human trust, traditional security measures like firewalls and antivirus software are no longer enough to protect against these types of attacks.

Fact Checker Results

Accuracy of Threat Description: ✅ The description of ZeroDayRAT’s capabilities aligns with known trends in mobile spyware.

Malware Behavior: ✅ The functionalities, such as GPS tracking, camera access, and crypto-wallet hijacking, are consistent with recent cybersecurity research.

Vendor Legitimacy: ✅ Despite some red flags, the use of escrow services in cybercrime shows growing professionalism among attackers.

Prediction

The rise of MaaS platforms like ZeroDayRAT will likely lead to an increase in the number and sophistication of cyberattacks, especially targeting mobile devices. With cybercriminals now able to access high-end malware for relatively low costs, individuals and businesses will need to adopt more robust security measures. The trend of targeting financial systems, including crypto wallets and payment apps, is expected to continue, with attacks becoming more difficult to detect and prevent.