Cybersecurity researchers have disclosed details of a new mobile spyware platform dubbed ZeroDayRAT that’s being advertised on Telegram as a way to grab sensitive data and facilitate real-time surveillance on Android and iOS devices.
“The developer runs dedicated channels for sales, customer support, and regular updates, giving buyers a single point of access to a fully operational spyware panel,” Daniel Kelley, security researcher at iVerify, said. “The platform goes beyond typical data collection into real-time surveillance and direct financial theft.”
ZeroDayRAT is designed to support Android versions 5 through 16 and iOS versions up to 26. It’s assessed that the malware is distributed via social engineering or fake app marketplaces. The malicious binaries are generated through a builder that’s provided to buyers along with an online panel that they can set up on their own server.
Once the malware infects a device, the operator gets to see all the details, including model, location, operating system, battery status, SIM, carrier details, app usage, notifications, and a preview of recent SMS messages, through a self-hosted panel. This information allows the threat actor to profile the victim and glean more about who they talk to and the apps they use the most.
The panel also extracts their current GPS coordinates and plots them on Google Maps, along with the history of all locations they have been to over time, effectively turning it into spyware.
“One of the more problematic panels is the accounts tab,” Kelley added. “Every account registered on the device is enumerated: Google, WhatsApp, Instagram, Facebook, Telegram, Amazon, Flipkart, PhonePe, Paytm, Spotify, and more, each with its associated username or email.”
Some of the other capabilities of ZeroDayRAT include logging keystrokes, gathering SMS messages — including one-time passwords (OTPs) to defeat two-factor authentication, as well as allowing hands-on operations, such as activating real-time surveillance via live camera streaming and a microphone feed that allows the adversary to remotely monitor a victim.
To enable financial theft, the malware incorporates a stealer component that scans for wallet apps like MetaMask, Trust Wallet, Binance, and Coinbase, and substitutes wallet addresses copied to the clipboard to reroute transactions to a wallet under the attacker’s control.
There also exists a bank stealer module to target online mobile wallet platforms like Apple Pay, Google Pay, PayPal, along with PhonePe, an Indian digital payments application that allows instant money transfers with the Unified Payments Interface (UPI), a protocol to facilitate inter-bank peer-to-peer and person-to-merchant transactions.
“Taken together, this is a complete mobile compromise toolkit, the kind that used to require nation-state investment or bespoke exploit development, now sold on Telegram,” Kelley said. “A single buyer gets full access to a target’s location, messages, finances, camera, microphone, and keystrokes from a browser tab. Cross-platform support and active development make it a growing threat to both individuals and organizations.”
The ZeroDayRAT malware is similar to numerous others that have targeted mobile device users, either via phishing or by infiltrating official app marketplaces. Over the past few years, bad actors have repeatedly managed to find various ways to bypass security protections put in place by Apple and Google to trick users into installing malicious apps.
Attacks targeting Apple’s iOS have typically leveraged an enterprise provisioning capability that allows organizations to install apps without the need for publishing them to the App Store. By marketing tools that combine spyware, surveillance, and information-stealing capabilities, they further lower the barrier of entry for less skilled hackers. They also highlight the evolving sophistication and persistence of mobile-focused cyber threats.
News of the commercial spyware platform coincides with the emergence of various mobile malware and scam campaigns that have come to light in recent weeks –
- An Android remote access trojan (RAT) campaign has used Hugging Face to host and distribute malicious APK files. The infection chain begins when users download a seemingly harmless dropper app (e.g., TrustBastion) that, when opened, prompts users to install an update, which causes the app to download the APK file hosted on Hugging Face. The malware then requests accessibility permissions and access to other sensitive controls to enable surveillance and credential theft.
- An Android RAT called Arsink has been found to use Google Apps Script for media and file exfiltration to Google Drive, in addition to relying on Firebase and Telegram for C2. The malware, which allows data theft and complete remote control, is distributed via Telegram, Discord, and MediaFire links, while impersonating various popular brands. Arsink infections have been concentrated in Egypt, Indonesia, Iraq, Yemen, and Türkiye.
- A document reader app named All Document Reader (package name: com.recursivestd.highlogic.stellargrid) uploaded to the Google Play Store has been flagged for acting as an installer for the Anatsa (aka TeaBot and Toddler) banking trojan. The app attracted over 50,000 downloads before it was taken down.
- An Android banking trojan called deVixor has been actively targeting Iranian users through phishing websites that impersonate legitimate automotive businesses since October 2025. Besides harvesting sensitive information, the malware includes a remotely triggered ransomware module capable of locking devices and demanding cryptocurrency payments. It uses Google Firebase for command delivery and Telegram-based bot infrastructure for administration.
- A malicious campaign codenamed ShadowRemit has exploited fake Android apps and pages mimicking Google Play app listings to enable unlicensed cross-border money transfers. These bogus pages have been found to promote unauthorized APKs as trusted remittance services with zero fees and improved exchange rates. “Victims are instructed to send payments to beneficiary accounts/eWallet endpoints and provide transaction screenshots as proof for verification,” CTM360 said. “This approach can bypass regulated remittance corridors and aligns with mule-account collection patterns.”
- An Android malware campaign targeting users in India has abused the trust associated with government services and official digital platforms to distribute malicious APK files through WhatsApp, leading to the deployment of malware that can steal data, establish persistent control, and run a cryptocurrency miner.
- The operators of an Android trojan and cybercrime tool called Triada have been observed using phishing landing pages disguised as Chrome browser updates to trick users into downloading malicious APK files hosted on GitHub. According to an analysis by Alex, attackers are “actively taking over long-standing, fully verified advertiser accounts to distribute malicious redirects.”
- A WhatApp-oriented scam campaign has leveraged video calls, in which the threat actor poses as a bank representative or a Meta support and instructs them to share their phone’s screen to address a purported unauthorized charge on their credit card, and install a legitimate remote access app, such as AnyDesk or TeamViewer, to steal sensitive data.
- An Android spyware campaign has leveraged romance scam tactics to target individuals in Pakistan to distribute a malicious dating chat app dubbed GhostChat to exfiltrate victims’ data. It’s currently not known how the malware is distributed. The threat actors behind the operation are also suspected to be running a ClickFix attack that infects victims’ computers with a DLL payload that can gather system metadata and run commands issued by an external server, as well as a WhatsApp device-linking attack called GhostPairing to gain access to their WhatsApp accounts.
- A new family of Android click fraud trojans called Phantom has been found to leverage TensorFlow.js, a JavaScript machine learning library, to automatically detect and interact with specific advertisement elements on a site loaded in a hidden WebView. An alternative “signaling” mode uses WebRTC to stream a live video feed of the virtual browser screen to the attackers’ server and allow them to click, scroll, or enter text. The malware is distributed via mobile games published to Xiaomi’s GetApps store and other unofficial, third-party app stores.
- An Android malware family called NFCShare has been distributed via a Deutsche Bank phishing campaign to deceive users into installing a malicious APK file (“deutsche.apk”) under the pretext of an update, which reads NFC card data and exfiltrates it to a remote WebSocket endpoint. The malware shares similarities with NFC relay malware families like NGate, ZNFC, SuperCard X, PhantomCard, and RelayNFC, with its command-and-control (C2) server previously flagged as associated with SuperCardX activity in November 2025.
In a report published last month, Group-IB said it has witnessed a surge in NFC-enabled Android tap-to-pay malware, most of which is advertised within Chinese cybercrime communities on Telegram. The NFC-based relay technique is also referred to as Ghost Tap.
“At least $355,000 in illegitimate transactions have been recorded from one POS vendor alone throughout November 2024 – August 2025,” the Singapore-headquartered cybersecurity company said. “In another observed scenario, mobile wallets preloaded with compromised cards are used by mules across the globe to make purchases.”
Group-IB also said it identified three major vendors of Android NFC relay apps, including TX-NFC, X-NFC, and NFU Pay, with TX-NFC amassing over 25,000 subscribers on Telegram since commencing operations in early January 2025. X-NFC and NFU Pay have more than 5,000 and 600 subscribers on the messaging platform, respectively.
The end goal of these attacks is to trick victims into installing NFC-enabled malware and tapping their physical payment cards on their smartphone, causing the transaction data to be captured and relayed to the cybercriminal’s device through an attacker-controlled server. This is achieved by means of a dedicated app installed on the money mule’s device to complete payments or cash-out as though the victims’ cards were physically present.
Calling tap-to-pay scams a growing concern, Group-IB said it observed a steady increase in the detection of malware artifacts between May 2024 and December 2025. “At the same time, different families and variants are also appearing, while the old ones remain active,” it added. “This indicates the spread of this technology among fraudsters.”
