CyberHappenings logo
Home Browse Watchlists Experimental About

Track cybersecurity events as they unfold. Sourced timelines. Filter, sort, and browse. Fast, privacy‑respecting. No invasive ads, no tracking.

ZeroDayRAT Malware Targets Android and iOS Devices

First reported
Last updated
3 unique sources, 3 articles

Summary

Hide ▲

A new commercial spyware platform, ZeroDayRAT, is being advertised on Telegram, offering full remote control over compromised Android (versions 5–16) and iOS (up to version 26) devices. The malware provides extensive surveillance capabilities, including real-time tracking, data theft, and financial fraud. It can log app usage, SMS messages, and notifications, activate cameras and microphones, and steal cryptocurrency and banking credentials. ZeroDayRAT is marketed through Telegram channels and infections are initiated by persuading victims to install malicious binaries via smishing, phishing emails, counterfeit app stores, and links shared through WhatsApp or Telegram. The malware includes a dedicated web-based dashboard displaying device details, app usage, SMS messages, and live activity timeline. It also includes a crypto stealer and targets online banking apps, UPI platforms, and payment services like Apple Pay and PayPal. The malware is sold openly on Telegram with access to a panel featuring sales, customer support, and platform updates channels. ZeroDayRAT support spans Android 5 through 16 and iOS up to 26, and it provides a complete overview of the phone's makeup, including device model, SIM, location data, carrier info, live activity timeline, and recent SMS messages. The malware includes features such as SMS control, keylogger, microphone feed, screen recorder, bank stealer, and crypto stealer. ZeroDayRAT is priced at $2,000, indicating higher-than-average ambitions and targeting specific individuals or enterprises. The malware represents a convergence of nation-state-level capabilities with criminal economics, widening the target market for surveillance malware.

Timeline

  1. 10.02.2026 15:00 3 articles · 10h ago

    ZeroDayRAT Malware Advertised on Telegram

    ZeroDayRAT is marketed through Telegram channels. Infections are initiated by persuading victims to install malicious binaries via smishing, phishing emails, counterfeit app stores, and links shared through WhatsApp or Telegram. The malware provides a dedicated web-based dashboard displaying device model, OS version, battery status, SIM details, country, lock state, app usage, SMS messages, and live activity timeline. It includes a crypto stealer that detects wallets and injects attacker-controlled clipboard addresses, and targets online banking apps, UPI platforms such as PhonePe and Google Pay, and services including Apple Pay and PayPal via overlay attacks. ZeroDayRAT is sold openly on Telegram with access to a panel featuring sales, customer support, and platform updates channels. ZeroDayRAT support spans Android 5 through 16 and iOS up to 26, and it provides a complete overview of the phone's makeup, including device model, SIM, location data, carrier info, live activity timeline, and recent SMS messages. The malware includes features such as SMS control, keylogger, microphone feed, screen recorder, bank stealer, and crypto stealer. ZeroDayRAT is priced at $2,000, indicating higher-than-average ambitions and targeting specific individuals or enterprises. The malware represents a convergence of nation-state-level capabilities with criminal economics, widening the target market for surveillance malware.

    Show sources
    Open in new tab

Information Snippets

Similar Happenings

Sturnus Android Malware Targets Encrypted Messaging Apps and Banking Credentials

Sturnus, a new Android banking trojan, steals messages from encrypted apps like Signal, WhatsApp, and Telegram by capturing screen content post-decryption. It performs full device takeover via VNC and overlays to steal banking credentials. The malware is under development but fully functional, targeting European financial institutions with region-specific overlays. It uses a mix of encryption methods for C2 communication and abuses Accessibility services for extensive control. The malware is disguised as legitimate apps like Google Chrome or Preemix Box, but distribution methods remain unknown. It establishes encrypted channels for commands and data exfiltration, and gains Device Administrator privileges to prevent removal. ThreatFabric reports low-volume attacks in Southern and Central Europe, suggesting testing for larger campaigns. New details reveal Sturnus uses WebSocket and HTTP channels for communication, displays full-screen overlays mimicking OS updates, and collects extensive device data for continuous feedback.

Open in new tab

ClayRat Spyware Campaign Targets Android Users in Russia

A rapidly evolving Android spyware campaign known as ClayRat continues to target Russian users through Telegram channels and phishing websites. The spyware disguises itself as trusted apps such as WhatsApp, TikTok, Google Photos, and YouTube to trick users into downloading malicious software. Over the past three months, researchers identified more than 700 distinct ClayRat samples and 50 droppers, each version introducing new obfuscation layers to evade security tools. Once installed, the spyware can exfiltrate call logs, SMS messages, and notifications, take photos using the front camera, and send messages or place calls directly from the victim’s phone. The spyware’s operators employ a multifaceted strategy combining impersonation, deception, and automation. Distribution occurs mainly through phishing sites, Telegram channels, step-by-step installation guides, and session-based installers posing as Play Store updates. ClayRat’s most concerning feature is its abuse of Android's default SMS handler role, allowing it to read, store, and send text messages without alerting users. This access is exploited to spread itself further, sending messages to every saved contact. The latest version of ClayRat introduces far broader capabilities by combining Default SMS privileges with extensive abuse of Accessibility Services. Key functions include a keylogger that captures PINs, passwords, and patterns, full screen recording through the MediaProjection API, overlays that disguise malicious activity, and automated taps designed to block users from shutting down the device or deleting the app. These enhancements make the malware more persistent than earlier versions. A new Android remote access trojan (RAT) called Fantasy Hub has been disclosed, sold as a Malware-as-a-Service (MaaS) product on Russian-speaking Telegram channels. Fantasy Hub enables device control and espionage, allowing threat actors to collect SMS messages, contacts, call logs, images, and videos. The malware abuses the default SMS privileges to obtain access to SMS messages, contacts, camera, and files, and uses fake overlays to obtain banking credentials associated with Russian financial institutions. Fantasy Hub is available for $200 per week, $500 per month, or $4,500 per year, and its C2 panel provides details about compromised devices and subscription status. Zimperium's systems detected ClayRat variants as soon as they appeared, before public disclosures. The company shared its findings with Google, helping ensure protection through Google Play Protect. Security experts recommend a layered mobile security posture to reduce installation paths, detect compromise, and limit the blast radius. Users should only install applications from authorized Play/App stores.

Open in new tab

ToSpy and ProSpy spyware targeting UAE users

Two spyware families, ToSpy and ProSpy, are targeting Android users in the UAE by masquerading as the ToTok app and Signal encryption plugins. These campaigns have been active since 2022 and 2024, respectively, and exploit the popularity and local trust of ToTok to infiltrate devices and exfiltrate sensitive data. ToTok, a messaging app developed by G42 and supported by the UAE government, was exposed as spyware in 2019 and removed from major app stores. Despite this, it continues to circulate outside official channels, providing cover for malicious actors. The spyware families request invasive permissions to steal device information, contacts, SMS messages, and various file types. Google Play Protect is designed to mitigate these threats, but users are still at risk if they download apps from untrusted sources. The spyware campaigns are distributed via fake websites and social engineering, establishing persistent access to compromised devices. The ProSpy campaign was discovered in June 2025 and has been ongoing since 2024, while the ToSpy campaign began on June 30, 2022, and is currently ongoing. The spyware families use deceptive websites masquerading as legitimate services to distribute malware. The spyware families exfiltrate device information, SMS messages, contact lists, files, and a list of installed applications. The spyware families use Android's AlarmManager to repeatedly restart the foreground service if it gets terminated. The spyware families automatically launch the necessary background services upon a device reboot.

Open in new tab

Klopatra Android Trojan Conducts Nighttime Bank Transfers

A new Android Trojan named Klopatra has been identified, capable of performing unauthorized bank transfers while the device is inactive. The malware targets users in Italy and Spain, with over 3,000 devices infected. Klopatra disguises itself as the Mobdro streaming app and IPTV applications, leveraging their popularity to bypass security measures. It employs advanced techniques to evade detection and analysis, including anti-sandboxing methods, a commercial packer, and Hidden Virtual Network Computing (VNC) for remote control. The Trojan operates during nighttime hours, draining victims' bank accounts without alerting them. Klopatra uses Accessibility Services to gain extensive control over the device, allowing attackers to simulate user interactions remotely. It captures screenshots, records screen activity, and overlays fake login screens to steal credentials. The malware checks for device inactivity and charging status before executing its operations, ensuring the victim remains unaware until the next day. The malware is operated by a Turkish-speaking criminal group as a private botnet, with 40 distinct builds discovered since March 2025. The malware integrates Virbox, a commercial-grade code protector, to obstruct reverse-engineering and analysis. It uses native libraries to reduce its Java/Kotlin footprint and employs NP Manager string encryption in recent builds. Klopatra features several anti-debugging mechanisms, runtime integrity checks, and emulator detection capabilities. The malware supports all required remote actions for performing manual bank transactions, including simulating taps, swiping, and long-pressing. Klopatra uses Cloudflare to hide its digital tracks, but a misconfiguration exposed origin IP addresses, linking the C2 servers to the same provider. The malware has been linked to two campaigns, each counting 3,000 unique infections.

Open in new tab

Datzbro Android Trojan Targeting Elderly via AI-Generated Facebook Events

A new Android banking trojan named Datzbro is targeting elderly users through AI-generated Facebook events. The malware, discovered in August 2025, conducts device takeover (DTO) attacks and performs fraudulent transactions. It exploits social engineering tactics to trick victims into downloading malicious APK files from fraudulent links. The threat actors behind Datzbro focus on users in Australia, Singapore, Malaysia, Canada, South Africa, and the U.K. The malware leverages Android's accessibility services to perform remote actions, record audio, capture photos, and steal credentials. It also includes features to hide malicious activities and steal device lock screen PINs and passwords associated with Alipay and WeChat. Datzbro is believed to be the work of a Chinese-speaking threat group, with its command-and-control (C2) backend being a Chinese-language desktop application. The malware has been distributed freely among cybercriminals after a compiled version of the C2 app was leaked.

Open in new tab