ZeroDayRAT and the Productization of Mobile Spyware

iVerify’s breakdown of “ZeroDayRAT” is a warning siren for anyone who still treats mobile as secondary risk.

The report describes a mobile spyware platform marketed on Telegram with the trappings of a mature operation: dedicated sales channels, customer support, and ongoing updates.

The claim that jumps off the page is coverage: Android 5 through 15 and iOS “up to 26,” including modern flagship devices, packaged in a way that suggests minimal technical expertise is required to operate it. Whether every marketing claim holds up is a separate question, but the direction of travel is unmistakable: mobile compromise capabilities are being productized.

Flow of infection

The infection flow described relies on familiar social vectors:

• Smishing links

• Phishing emails

• Fake app stores

• Getting a victim to install a malicious app (APK on Android or a payload on iOS)

That’s “better news” than a silent exploit chain, but it’s still bad news because social delivery scales.

Once installed, the operator view is designed to immediately profile a target:

• SIM and carrier information

• Device context

• Recent messages

• Indicators of who the person talks to and what apps they use

From there, the platform offers discrete data streams, GPS tracking with historical location, notification capture by app, and message interception that can include banking service texts.

Mobile must be prioritized

This is why mobile is no longer optional in threat modeling. Phones are identity anchors: MFA prompts, authenticator codes, banking access, corporate apps, and private communications live there. Compromise doesn’t just steal data; it often collapses the security assumptions of everything the device is used to access.

Most organizations still have limited visibility into mobile integrity outside tightly managed fleets.

That creates an asymmetry: attackers invest in mobile tooling while defenders treat phones as personal devices outside the security perimeter.

The practical move is to treat mobile integrity as a first-class signal, especially for high-risk users, and to plan response paths that assume mobile compromise is possible.

The era of ‘mobile is someone else’s problem’ is over.