New ZeroDayRAT Mobile Spyware Enables Full-Spectrum Surveillance on Android and iOS

A sophisticated cross-platform mobile Remote Access Trojan (RAT) dubbed ZeroDayRAT has been identified being marketed as a commercial spyware-as-a-service offering on Telegram. The malware targets Android 5 through 16 and iOS up to version 26, providing full-spectrum surveillance and financial theft capabilities.

Architecture

ZeroDayRAT uses a modular toolkit approach, allowing operators to generate custom payloads that communicate with self-hosted C2 dashboards. Each attacker hosts their own infrastructure, making static IP and domain blocking largely ineffective.

Core Modules

The RAT includes the following capability modules:

Real-Time Surveillance

• Live streaming from front and rear cameras
• Real-time microphone audio capture
• Continuous screen recording with live previews on the attacker dashboard

Data Exfiltration

• Full SMS inbox access and real-time interception of incoming 2FA codes
• Notification harvesting via Notification Listener services to read WhatsApp, Telegram, and Signal messages without opening apps
• Automatic account enumeration for Google, Amazon, Facebook, and financial platforms including Paytm and PayPal

Financial Theft

• Crypto wallet scanner targeting MetaMask, Coinbase, and Trust Wallet with clipboard injection (replacing copied wallet addresses with attacker-controlled ones)
• Banking overlay attacks deploying fake login screens on top of legitimate banking and UPI apps including Google Pay and Apple Pay

Advanced Keylogging

• Captures all keystrokes, gestures, and biometric unlock attempts with millisecond timestamps and app context

Delivery Mechanism

ZeroDayRAT relies on social engineering for initial access rather than a single technical exploit:

1. Smishing (Primary Vector) - Victims receive SMS or WhatsApp links leading to malicious APKs on Android or profile/payload downloads on iOS
2. Sideloading - Exploits Android's "Install from Unknown Sources" setting and iOS Developer Mode or enterprise certificates
3. Persistence - Once granted Accessibility Services (Android) or MDM/Management profiles (iOS), the RAT survives reboots and can perform remote wipe if detection is suspected

Indicators of Compromise

Static IoCs are limited since each operator runs independent C2 infrastructure. Detection should focus on behavioral indicators:

Behavioral Patterns

Network Activity

Detection Code

Android: Detect Accessibility Service Abuse

AccessibilityManager am = (AccessibilityManager)
    getSystemService(Context.ACCESSIBILITY_SERVICE);
List<AccessibilityServiceInfo> runningServices =
    am.getEnabledAccessibilityServiceList(
        AccessibilityServiceInfo.FEEDBACK_ALL_MASK
    );
// Flag unexpected services for review

Android: Prevent Screen Capture on Sensitive Activities

window.setFlags(
    LayoutParams.FLAG_SECURE,
    LayoutParams.FLAG_SECURE
);

Mitigation

• Switch from SMS-based OTPs to hardware-backed MFA using FIDO2/WebAuthn or app-based authenticators (YubiKey, Google Authenticator)
• iOS users: Enable Lockdown Mode to disable complex web features and block management profiles
• Android users: Enable Advanced Protection Program to restrict app installs to the Play Store only
• Implement Google Play Integrity API or Apple App Attest to verify app integrity on untampered devices
• Deploy a Mobile Threat Defense (MTD) solution to block known Telegram-linked C2 communication patterns
• Audit devices for unauthorized Accessibility Service or Notification Listener registrations
• Monitor for anomalous clipboard behavior, especially with cryptocurrency wallet addresses

Note: No universal patch exists as ZeroDayRAT exploits user-granted permissions rather than a specific vulnerability. Detection relies on behavioral analysis of Accessibility Service abuse and unauthorized screen/mic activity.