Spyware for Hire: Inside the Shadowy World of ZeroDayRAT and Its Mobile Espionage Toolkit

It starts with a text message - a fake update, a tempting offer, a seemingly innocent link. But behind the scenes, a new player is making waves in the cybercrime underground: ZeroDayRAT, a mobile spyware platform for rent, now marketed openly via Telegram. Is it the next big threat to mobile security, or just a sophisticated scam targeting would-be hackers?

ZeroDayRAT is being sold as a plug-and-play surveillance suite - no hacking expertise required. According to an investigation by Cyberthint, the service includes a slick web dashboard where buyers can monitor compromised phones. The toolkit boasts the ability to track GPS locations, activate microphones and cameras remotely, record screens in real-time, and even log every keystroke. On the financial front, it targets popular crypto wallets like MetaMask and Binance, and can hijack digital payment credentials from Apple Pay, Google Pay, and PayPal.

How does it spread? The infection vector is classic social engineering: victims receive phishing texts (smishing), often disguised as legitimate app updates or service alerts. Links redirect through a maze of shortened URLs and even trusted sites like GitHub Pages to evade security filters. From there, the malware is installed - sometimes via fake app stores or direct APK downloads - granting attackers full control.

But is ZeroDayRAT a real threat or cybercriminal vaporware? Cyberthint’s researchers noticed several red flags. Demo screenshots seemed staged, with portions of the interface possibly generated by AI. Wallet data in the control panel appeared static, raising doubts about whether the malware actually works as advertised. The operator’s willingness to use escrow services on criminal forums lends some credibility, but the line between active threat and overhyped scam remains blurry.

What’s certain is the context: ZeroDayRAT isn’t alone. Mobile malware families like Arsink and Anatsa (TeaBot) are also on the rise, exploiting new tactics like NFC-based theft. As smartphones become vaults for our money, identities, and secrets, attackers are following the data. The message for users? Don’t trust unsolicited links, especially those promising urgent account action or financial gain.

Whether ZeroDayRAT is a genuine menace or a mirage, its existence signals a troubling trend: cybercrime syndicates are making high-end spyware accessible to anyone with a few dollars and a Telegram account. For now, vigilance and skepticism remain the best defense against the invisible eyes in our pockets.

WIKICROOK

• Malware: Il malware è un software dannoso progettato per infiltrarsi, danneggiare o rubare dati da dispositivi informatici senza il consenso dell’utente.
• Smishing: Lo smishing è una truffa digitale che sfrutta SMS ingannevoli per rubare dati personali o soldi alle vittime, spesso fingendosi enti affidabili.
• Clipboard Injection: Clipboard injection replaces clipboard content with malicious data, tricking users into pasting harmful code or links. It’s a stealthy and dangerous cyber threat.
• Overlay Attack: An overlay attack uses fake screens placed over real apps to trick users into entering sensitive data like passwords or PINs, enabling credential theft.
• Two: Two-factor authentication (2FA) is a security method requiring two different types of identification to access an account, making it harder to hack.