There's a new commercially available spyware platform for sale and advertised through Telegram called ZeroDayRAT. It comes with everything someone might need to monitor people and steal their money in real-time using Android versions 5-16 or iOS up to 26.
While looking at this operation, Daniel Kelley (a security researcher at iVerify) discovered that the developer has multiple Telegram channels where they can buy/sell, offer customer support, or provide updates to customers. Because of this, it's relatively easy to put together an entire "spyware" operation for someone interested in doing so with the tools provided (like a "builder" for creating bad APKs/IPAs and directions for how to set up their own private C2).
After installation via social engineering/phishing links/fake app stores; ZeroDayRAT provides users with extensive control:
1. Device Fingerprinting (device model, OS type, Battery, SIM/Carrier).
2. GPS Location Tracking in Real-time with complete history plotted on Google Maps.
3. Revealing SMS history including OTP's used to bypass 2FA (two-factor authentication) systems.
4. Key Logging on all applications.
5. Streaming live Video and Audio from your device's microphone for "on demand" surveillance while logged into various applications such as Facebook, Instagram etc..
6. Enumeration of all accounts registered with any applications (including Google, WhatsApp, Instagram, Amazon, FlipKart, etc.) with their respective username/email combinations.
7. Monitoring and Modification of Clipboard contents for cryptocurrency wallets (including MetaMask, Trust Wallet, Binance, Coinbase) to redirect funds.
8. Bank-stealer module targeting Apple Pay, Google Pay, PayPal, PhonePe, and other UPI-based wallets
The panel is browser-based and self-hosted, allowing operators to monitor multiple victims from a single dashboard. Kelley emphasized that this is no longer nation-state territory, the toolkit is now commoditized and sold to anyone with Telegram access, dramatically lowering the skill barrier for sophisticated mobile compromise.
Related Mobile Threats Surfacing in Early 2026
1. Hugging Face-hosted droppers (e.g., TrustBastion) deliver RATs requesting accessibility permissions for surveillance/credential theft.
2. Arsink RAT uses Google Apps Script, Firebase, and Telegram for media/file exfil; concentrated in Egypt, Indonesia, Iraq, Yemen, Türkiye.
3. All Document Reader (50,000+ Play Store downloads before takedown) installs Anatsa/TeaBot banking trojan.
4. deVixor targets Iranian users via fake automotive phishing sites; includes ransomware module triggered remotely.
5. ShadowRemit scams promote fake remittance APKs for unlicensed cross-border transfers.
6. WhatsApp-based scams deceive users to share screens and use legitimate remote access programs (like AnyDesk or TeamViewer) so that they can steal your data from you.
7. There is an app called GhostChat marketed as a romance application to any Pakistani citizen but actually collects and sells all dating app users' personal information to third-party organizations.
8. A click fraud ring using TensorFlow.js and WebRTC exploits invisibly running WebViews in applications to automate click advertising. They are distributed through Xiaomi's GetApps and third-party stores.
9. An application called NFCShare (a Deutsche Bank phisher) scans the NFC card and relays its contents to another application using WebSockets. The application connects to the Ghost Tap and SuperCard X families.
10. Between May 2024 and August 2025, over $355,000 in fraud were generated from infections by NFC relay malware (TX-NFC, X-NFC, NFU Pay) and advertised through various Chinese Telegram channels.
These incidents illustrate the evolution of mobile threats from mere credential theft towards platforms that enable full-scale remote surveillance and financial fraud. Mobile phone threats have evolved from simply stealing credentials to stealing WhatsApp or other mobile platform credentials, to being able to create a new kind of credential with PINs for any number of applications.
They are also distributed through trusted methods including, but not limited to, Telegram, Google Play, and fake update sites; and utilize the mobile platforms’ legitimate functionalities including, but not limited to, the use of NFC, accessibility services, and remote desktop applications.
Suggestions For Users
1. Do not sideload APKs or download from an untrusted source.
2. Do not share your screen in an unsolicited phone call from a bank or other support.
3. Use unique, strong passwords for your apps and use hardware authentication wherever possible.
4. Regularly review the apps you have installed, the permissions associated with those apps, and the notification access granted to those apps.
5. Keep your operating system version and installed app versions up to date, enable Google Play Protect (for Android) or iOS Lockdown Mode (for Apple) when you are at a high risk of a cyberattack.
For Organizations
Monitor for unusual outbound connections between your mobile devices and Telegram and Firebase. Educate your employees regarding romance scams, job offers from unknown organizations, and fake system update messages.
Source: The Hacker News
February 16, 2026
February 16, 2026
February 16, 2026
September 23, 2024
December 02, 2023
November 26, 2024
© 2016 - 2026 Red Secure Tech Ltd. Registered in England and Wales under Company Number: 15581067
