A new cross-platform spyware sold openly through Telegram is lowering the barrier for hackers seeking remote access to mobile devices.
Called “ZeroDayRAT” by its developer, the toolkit is being marketed through Telegram channels as a ready-to-deploy remote access solution. iVerify researchers traced its first activity to 2nd February, with the spyware being distributed as an APK for Android and a payload for iOS.
“The developer runs dedicated channels for sales, customer support, and regular updates, giving buyers a single point of access to a fully operational spyware panel,” the researchers said in a blog post. “No technical expertise is required. The platform goes beyond typical data collection into real-time surveillance and direct financial theft.”
Capabilities once reserved for nation-state operators are now packaged, documented, and sold simply on Telegram with customer support, they noted.
Broad surveillance and credential theft
ZeroDayRAT is designed as a mobile surveillance and data exfiltration platform rather than a simple infostealer. According to iVerify, the malware can collect a wide range of sensitive data from the infected devices, including messages, call logs, contacts, location information, photos, and files. It can also harvest notifications and device metadata, giving operators visibility into both user activity and installed applications.
“Notifications are captured separately: app name, title, content, timestamp,” the researchers said. “WhatsApp messages, Instagram notifications, missed calls, Telegram updates, YouTube alerts, system events. Without opening a single app, an attacker has passive visibility into nearly everything happening on the phone.”
The platform’s “Accounts” panel was highlighted as particularly concerning as it enumerates every account registered (with associated usernames or email addresses) on the infected device, including services such as Google, WhatsApp, Instagram, Facebook, Telegram, Amazon, Flipkart, PhonePe, Paytm, and Spotify. The researchers warned that this consolidated view of a victim’s digital footprint could provide attackers with sufficient information to attempt account takeovers or conduct highly targeted social engineering attacks.
Data exfiltration is managed through a centralized command infrastructure, allowing operators to monitor multiple victims and retrieve information on demand. iVerify noted that the toolkit is packaged with a web-based management panel, documentation, and updates, indicating a commercialized offering intended for repeat use rather than a one-off campaign.
The stretch of supported operating system versions, spanning Android 5 through 16 and iOS up to 26, further increases the toolkit’s potential reach across consumer and enterprise devices.
Reliance on deception and not exploits
Despite the name, ZeroDayRAT does not depend on undisclosed operating system vulnerabilities to infect devices. Instead, the primary infection vector is social engineering. Victims are persuaded to install a malicious application or configuration profile disguised as legitimate software, often delivered through links shared via SMS, email, or messaging platforms.
While the researchers did not elaborate on the infection chain, on Android, this typically involves sideloading an app outside the official Play Store, sometimes accompanied by prompts to grant extensive permissions. On iOS, installation may rely on enterprise provisioning mechanisms or user-approved profiles that allow the malicious app to run outside the App Store review process.
Because infection depends on user interaction rather than zero-click exploits, preventing unauthorized app installation remains a key control against such threats. “Detecting threats like ZeroDayRAT requires mobile EDR that goes beyond traditional device management,” the researchers said, claiming that iVerify has detection, forensics, and automated response solutions to help users identify a compromise across BYOD and managed fleets.