The $2,000 Spyware That Can Turn Your Phone Into a Surveillance Device

You receive a text: “Your package is delayed. Tap to track.” You click. Your screen flickers for a second, then nothing seems wrong. But from that moment, someone else may be watching everything your phone sees, hears, and types.

That is the scenario enabled by ZeroDayRAT, a commercial spyware platform first observed on Telegram on February 2, 2026, and publicly exposed by mobile security firm iVerify on February 10. It is real, it is verified by multiple independent security researchers, and it represents a meaningful shift in who can afford to conduct state-grade mobile surveillance.

What Is ZeroDayRAT?

ZeroDayRAT is a commercial, off-the-shelf spyware toolkit marketed openly on Telegram. Its developer runs dedicated channels for sales, customer support, and regular software updates — structured like a legitimate SaaS product, except its purpose is to give buyers complete remote access to victims’ phones.

iVerify researcher Daniel Kelley describes it as “a complete mobile compromise toolkit.” The platform supports Android versions 5 through 16 and iOS up to version 26, including the iPhone 17 Pro — meaning almost no modern device is out of reach. No technical expertise is required to operate it.

How Does It Infect Your Phone?

Despite its dramatic name, ZeroDayRAT does not exploit zero-day OS vulnerabilities. Its primary weapon is social engineering — specifically smishing (SMS phishing). Victims receive a text message with a link that downloads what appears to be a legitimate app. Installing that app hands over the keys.

Distribution methods confirmed by iVerify include:

• Text message links disguised as bank alerts, courier notifications, or carrier warnings
• Phishing emails with fake app download pages
• Third-party (unofficial) app stores
• Links shared via WhatsApp and Telegram

The operator sets up their own server, configures the control panel, then uses the included builder to generate custom malicious payloads. Delivery is the attacker’s responsibility — ZeroDayRAT provides the infrastructure once the device is compromised.

Capabilities once reserved for nation-state operators are now packaged, documented, and sold on Telegram with customer support.

— iVerify Research Team, February 10, 2026

What Can an Attacker See?

Once a device is infected, the attacker logs into a web-based control panel that organises stolen data into clearly labelled tabs:

Beyond surveillance, ZeroDayRAT includes dedicated financial theft modules: a cryptocurrency stealer that scans for MetaMask, Trust Wallet, Binance, and Coinbase wallets; a banking stealer that uses overlay attacks against payment apps including Google Pay, PhonePe, and Apple Pay; and clipboard injection that silently replaces copied wallet addresses with attacker-controlled ones.

Correcting the Record: What Circulating Reports Get Wrong

Several articles about ZeroDayRAT have introduced inaccuracies that deserve correction. The threat is real — but distortion undermines trust and makes it harder for people to respond appropriately.

Why This Is Different

Mobile spyware has existed for years. What makes ZeroDayRAT notable is its commercialisation model. The toolkit is advertised in five languages, comes with documentation and customer support, and is designed so that non-technical buyers can deploy it. iVerify notes the developers appear to be deliberately obscuring their origin — posting in Chinese, using Russian domains, and targeting victims in India — likely to frustrate attribution.

Because every operator runs their own server infrastructure, there is no central command server to take down. Even removing the Telegram channel would only slow distribution temporarily; the developers would simply open a new one.

Kelley of iVerify describes it as “textbook stalkerware,” and notes that journalists, activists, domestic abuse victims, and employees at organisations with loose device policies are all plausible targets, depending on who is buying.

How to Protect Yourself

• 1 Never install apps from links in text messages or emails. Go directly to the official App Store or Google Play. Search for the app by name.
• 2 On Android, disable “Install from unknown sources.” Go to Settings → Security and turn off the ability to install apps from outside the Play Store.
• 3 Switch from SMS two-factor authentication to an authenticator app or hardware key. ZeroDayRAT intercepts SMS OTPs. An authenticator app (Google Authenticator, Authy) or a hardware key (YubiKey) cannot be intercepted the same way.
• 4 Keep your OS updated. ZeroDayRAT relies on social engineering, not OS exploits — but patches close the gaps that other spyware uses. Enable automatic updates.
• 5 Review app permissions regularly. Revoke camera, microphone, and location access from any app that does not genuinely need it. Check Settings → Privacy on both iOS and Android.
• 6 Look for anomaly signs. Unexplained battery drain, overheating while idle, and unusual data usage can indicate a background process is running. This is not definitive, but warrants investigation.
• 7 High-risk users: enable Lockdown Mode (iOS) or Advanced Protection (Android). These modes restrict functionality but significantly reduce the attack surface for targeted surveillance.

If you suspect your device is already compromised: disconnect from Wi-Fi and mobile data immediately, change passwords for critical accounts from a separate, trusted device, and consider a full factory reset. iVerify, Lookout, and Malwarebytes offer mobile threat detection tools that can identify known spyware signatures.