New ‘ZeroDayRAT’ Spyware Kit Enables Total Compromise of iOS, Android Devices

Mobile espionage has traditionally been the domain of nation‑state actors, but the emergence of commercial kits like ZeroDayRAT signals a shift toward commoditized surveillance. First spotted in early February 2026, the toolkit is marketed on Telegram in Portuguese, Russian, Chinese, Spanish and English, offering buyers a self‑hosted command panel and a payload builder that can target both iOS and Android. By bundling exploit delivery, persistence mechanisms and a rich set of post‑infection modules, ZeroDayRAT blurs the line between state‑grade malware and off‑the‑shelf crimeware, expanding the pool of potential attackers.

The functional breadth of ZeroDayRAT is alarming. Once installed, it streams live video from either camera, records screen activity, and captures microphone input, while simultaneously logging GPS coordinates and detailed device fingerprints. Its keylogger records every keystroke, including biometric unlock patterns, and the embedded bank‑stealer harvests login credentials for major financial services. A clipboard‑injection module watches for cryptocurrency addresses, enabling real‑time fund diversion. Such capabilities give operators the ability to conduct continuous, multi‑vector espionage and financial exfiltration without the victim’s knowledge, raising the stakes for both individual privacy and corporate security.

Mitigating ZeroDayRAT is complicated by its decentralized distribution model. Each operator runs an independent server, eliminating a single point of failure that law‑enforcement could target, and Telegram’s slow response to illicit channels further delays takedown. Organizations should prioritize mobile threat hunting, enforce strict app vetting, and deploy mobile‑device‑management solutions that can detect anomalous network traffic and unauthorized background processes. On a policy level, regulators may need to pressure platform providers to accelerate content removal and consider mandatory reporting of mobile‑focused ransomware and spyware. Proactive defense and coordinated industry response are essential to curb the spread of this new generation of mobile RATs.