ZeroDayRAT Spyware Detected Targeting iOS and Android Devices

A newly identified mobile spyware tool called ZeroDayRAT has been reported as being openly sold on Telegram since early February 2026. The platform is designed to compromise both Android and iOS devices, providing attackers with extensive access to user data and device functions.

ZeroDayRAT has been documented as infecting a wide range of devices, including Android versions 5 through 16 and iOS devices up to version 26, such as the iPhone 17 Pro. Infection typically occurs through SMS phishing, malicious emails, fake app stores, or links shared via WhatsApp or Telegram.

Once installed, the spyware enables attackers to use a web-based dashboard to view details about the compromised device. This includes information such as the device model, operating system version, battery level, SIM and carrier data, app usage, notifications, messages, and location. Additional features include live access to the device’s camera and microphone, screen recording, and keylogging capabilities.

ZeroDayRAT also includes modules that target financial information. These modules are designed to intercept SMS one-time passwords, use clipboard injection to redirect cryptocurrency transfers, and perform overlay attacks on payment applications, potentially enabling theft from banking apps and crypto wallets.

What the numbers show

• ZeroDayRAT was first observed around February 2, 2026
• Android devices from version 5 to 16 and iOS devices up to version 26 are affected
• iPhone 17 Pro is among the devices targeted by this spyware

Media reports have stated that ZeroDayRAT can compromise a device within seconds of infection. The spyware transmits collected data to a central dashboard controlled by the attacker, where messages, device details, notifications, and live activity timelines are accessible.

Fox News has reported that ZeroDayRAT’s surveillance tools include real-time keylogging and the ability to capture microphone, camera, and screen activity. The spyware’s financial theft modules are reported to intercept banking notifications and use clipboard manipulation to redirect cryptocurrency transactions.

Researchers have described the technical sophistication of ZeroDayRAT as comparable to capabilities that previously required nation-state resources. The spyware’s features and methods have been documented across several media outlets based on research from security analysts.

ZeroDayRAT’s presence on open channels such as Telegram and its broad device compatibility have been highlighted in multiple reports. The platform’s ability to access sensitive personal and financial information has been emphasized by researchers and media sources.

* This article is based on publicly available information at the time of writing.