In context: Smartphones and other mobile devices now sit at the center of everyday digital life, carrying an enormous amount of sensitive data in plain sight. As that reliance grows, so does the incentive for cybercriminals, who are responding with increasingly sophisticated malware and surveillance tools.
Security firm iVerify says it has uncovered a new spyware platform dubbed ZeroDayRAT, a tool designed to seize near-total control of a compromised smartphone. According to the company, the malware works on both Android and iOS devices – including the latest versions of each operating system – and offers a level of surveillance power typically reserved for far more resourced attackers, provided the buyer is willing to pay.
ZeroDayRAT's unnamed developer is reportedly marketing the spyware through Telegram, where it was first spotted on February 2, 2026. The offering appears to be pitched as a full commercial service, complete with customer support, regularly scheduled updates, and access to a remote web-based dashboard used to control infected devices.
The researchers describe ZeroDayRAT as a level of spyware complexity that once required nation-state backing to achieve.
The malware is primarily distributed through smishing campaigns: phishing attempts delivered via SMS. Victims receive a text message containing a link that leads to a download masquerading as a legitimate app. Once installed, the app quietly activates its spyware components. iVerify says the same payload can also be delivered through phishing emails, fake third-party app stores, and links shared via platforms like WhatsApp or Telegram.
Once a device is compromised, attackers gain access to a dashboard organized into multiple tabs, each unlocking deeper levels of surveillance. The Overview tab provides high-level details about the device, including its model, operating system, battery status, country, SIM and carrier information, app usage, and more.
Other sections expose far more sensitive data. Attackers can view messages from banks, mobile carriers, and personal contacts. A Location tab uses GPS data to track a victim's movements worldwide. Because the malware can intercept system notifications, it can also surface WhatsApp messages, YouTube alerts, system events, and virtually any other notification that appears on the device.
An Account tab aggregates usernames and email addresses tied to services such as Google, Facebook, and Amazon. The spyware also tracks SMS messages, allowing it to capture one-time passwords, SMS-based two-factor authentication codes, and similar security messages.
At its most invasive, ZeroDayRAT includes live surveillance and keylogging features. iVerify says the malware can provide real-time access to a device's camera, microphone, and screen recording, while its keylogger intercepts every tap and input, complete with a live preview of the screen at any given moment. The toolkit is also designed to target payment services, banking systems, and cryptocurrency wallets in an attempt to steal digital assets.
The researchers describe ZeroDayRAT as a level of spyware complexity that once required nation-state backing to achieve. For individual users, an infection could mean total erosion of personal privacy. For organizations, a compromised work phone could serve as the entry point for a large-scale data exfiltration campaign. The firm warns that mobile security should be treated with the same seriousness as traditional endpoints (laptops, PCs) and email security, not as an afterthought.
Dangerous new spyware can take full control of iPhone and Android devices
any of them.
