Cyber: New Zerodayrat Mobile Spyware Enables Real-time Surveillance And...
Cybersecurity researchers have disclosed details of a new mobile spyware platform dubbed ZeroDayRAT that's being advertised on Telegram as a way to grab sensitive data and facilitate real-time surveillance on Android and iOS devices.
"The developer runs dedicated channels for sales, customer support, and regular updates, giving buyers a single point of access to a fully operational spyware panel," Daniel Kelley, security researcher at iVerify, said. "The platform goes beyond typical data collection into real-time surveillance and direct financial theft."
ZeroDayRAT is designed to support Android versions 5 through 16 and iOS versions up to 26. It's assessed that the malware is distributed via social engineering or fake app marketplaces. The malicious binaries are generated through a builder that's provided to buyers along with an online panel that they can set up on their own server.
Once the malware infects a device, the operator gets to see all the details, including model, location, operating system, battery status, SIM, carrier details, app usage, notifications, and a preview of recent SMS messages, through a self-hosted panel. This information allows the threat actor to profile the victim and glean more about who they talk to and the apps they use the most.
The panel also extracts their current GPS coordinates and plots them on Google Maps, along with the history of all locations they have been to over time, effectively turning it into spyware.
"One of the more problematic panels is the accounts tab," Kelley added. "Every account registered on the device is enumerated: Google, WhatsApp, Instagram, Facebook, Telegram, Amazon, Flipkart, PhonePe, Paytm, Spotify, and more, each with its associated username or email."
Some of the other capabilities of ZeroDayRAT include logging keystrokes, gathering SMS messages -- including one-time passwords (OTPs) to defeat two-factor authentication, as well as allowing hands-on operations, such as activating real-time surveillance via live camera streaming and a microphone feed that allows the adversary to remotely monitor a victim.
To enable financial theft, the malware incorporates a stealer component that scans for wallet apps like MetaMask, Trust Wallet, Binance, and Coinbase, and substitutes wallet addresses copied to the clipboard to reroute transactions to a wallet under the attacker's control.
There also exists a bank stealer module to target online mobile wallet platforms like Apple Pay, Google Pay, Pa
Source: The Hacker News
