🎧 Related Podcast Episode

Executive Summary

In early February 2026, security researchers at iVerify identified a new mobile spyware platform being sold openly on Telegram that changes the threat landscape for mobile device security. Called ZeroDayRAT, this malware represents something we’ve long feared but rarely seen: the full democratization of nation-state surveillance capabilities to anyone willing to pay.

What makes ZeroDayRAT particularly dangerous isn’t just its comprehensive feature set—which rivals commercial spyware like Pegasus and Predator—but its unprecedented accessibility. This is a complete mobile compromise toolkit being marketed through Telegram channels with dedicated customer support, sold to buyers with no vetting whatsoever.

The key facts:

  • Targets both Android 5-16 and iOS up to version 26 (including iPhone 17 Pro)- Combines real-time surveillance (camera, microphone, screen) with financial theft- Sold through Telegram with a browser-based control panel requiring zero technical expertise- Buyers can deploy on their own servers for complete operational control

This article provides a comprehensive analysis of ZeroDayRAT’s capabilities, how it spreads, how it compares to established commercial spyware, and most importantly—what you can do to protect yourself. Whether you’re a security professional, a journalist, an activist, or simply someone who values their privacy, understanding this threat is essential in 2026.

What Is ZeroDayRAT?

ZeroDayRAT is a mobile surveillance platform first observed on February 2, 2026 by researchers at iVerify, a mobile security company. Unlike traditional malware that focuses on a single objective—stealing passwords, exfiltrating files, or mining cryptocurrency—ZeroDayRAT is a complete compromise toolkit that gives operators total control over infected devices.

As iVerify researcher Daniel Kelley put it: “This represents a complete mobile compromise toolkit, the kind that used to require nation-state investment or bespoke exploit development, now sold on Telegram.”

The platform operates through a browser-based control panel that buyers can host on their own servers. This self-hosted architecture provides operators with:

  • Complete control over their infrastructure- No reliance on the developer’s servers- Ability to operate independently after purchase- Reduced forensic trail

The malware itself is generated through a builder provided to buyers, allowing them to create customized payloads for different attack scenarios. The developer maintains dedicated Telegram channels for sales, customer support, and regular updates—treating spyware like a legitimate SaaS product.

The Business Model

ZeroDayRAT represents a troubling evolution in how sophisticated surveillance tools reach the market. Traditional commercial spyware vendors like NSO Group (Pegasus), Intellexa (Predator), and RCS Lab (Hermit) sell to government customers through formal contracts, typically with some level of vetting (however imperfect).

ZeroDayRAT eliminates this entirely:

Aspect Traditional Commercial Spyware ZeroDayRAT

Sales Channel Government contracts Telegram marketplace

Buyer Vetting Claimed government customers only None

Support Model Dedicated account teams Telegram customer support

Price Range $500K+ per target (estimated) Unknown (likely commodity pricing)

Operational Model Vendor-hosted or assisted Self-hosted by buyer

This matters because it opens nation-state capabilities to a far broader range of threat actors: domestic abusers deploying stalkerware, corporate espionage operators, criminal enterprises, and anyone else willing to spend money on Telegram.

Complete Capabilities Analysis

ZeroDayRAT’s feature set is comprehensive enough to enable complete digital surveillance of a target’s life. Here’s what operators can access once a device is infected:

Device Profiling & Identification

Before operators even begin surveillance, they have complete visibility into the infected device:

  • Hardware: Device model, manufacturer, specifications- Software: Operating system version (Android 5-16, iOS up to 26)- Status: Battery level, lock status, charging state- Network: Country, carrier, SIM information- Dual SIM: Both phone numbers if applicable- Usage Patterns: App usage breakdown and statistics

This profiling helps operators understand their target’s digital footprint and plan more sophisticated attacks.

Location Tracking

ZeroDayRAT provides real-time GPS tracking with location coordinates plotted directly on Google Maps within the control panel. Operators can:

  • View current location in real-time- Access complete location history- Track movement patterns over time- Correlate location with other surveillance data

For a stalker, domestic abuser, or authoritarian government tracking a dissident, this alone is devastating—but it’s just the beginning.

Communication Interception

The platform captures communications across multiple channels:

SMS:

  • Full inbox access (read all messages)- Ability to send SMS from victim’s device- OTP interception for 2FA bypass

App Notifications:

  • Captures notifications from all installed apps- Includes WhatsApp, Instagram, Telegram, Facebook- Provides message previews even from encrypted apps- Shows sender information and timestamps

This notification capture is particularly insidious—even if you use end-to-end encrypted messaging, ZeroDayRAT captures the notification content displayed on your device, bypassing encryption entirely at the endpoint.

Account Enumeration

Operators can see every account registered on the device:

  • Google accounts- WhatsApp- Instagram- Facebook- Telegram- Amazon- Flipkart (Indian e-commerce)- PhonePe (Indian payments)- Paytm (Indian payments)- Spotify

This enumeration reveals a target’s complete digital identity and helps operators plan further compromise of specific services.

Real-Time Surveillance

This is where ZeroDayRAT reaches nation-state territory. Operators can:

Live Camera Access:

  • Stream video from front or rear camera- Record without any visual indication- Capture photos silently

Live Microphone:

  • Real-time audio streaming- Record conversations in target’s environment- Capture phone calls

Screen Recording:

  • See exactly what the user sees- Capture sensitive app usage- Record passwords as they’re typed

Imagine the implications: every private conversation, every confidential meeting, every intimate moment—all potentially accessible to an attacker with a web browser.

Keystroke Logging

ZeroDayRAT includes sophisticated keylogging with:

  • Complete keystroke capture across all apps- App context showing which application received each input- Millisecond timestamps for forensic-grade logging- Biometric unlock detection- Gesture tracking- App launch logging

This captures not just passwords, but every private message typed, every search query, every note written—with enough metadata to reconstruct exactly how the target uses their device.

Financial Theft Module

Here’s where ZeroDayRAT diverges from traditional surveillance spyware. While Pegasus and Predator focus on intelligence collection, ZeroDayRAT adds direct financial theft capabilities:

Cryptocurrency Wallet Targeting:

  • Scans for cryptocurrency wallets: MetaMask, Trust Wallet, Binance, Coinbase- Clipboard hijacking: Replaces copied wallet addresses with attacker addresses- When you think you’re sending crypto to a friend, you’re sending it to the attacker

Banking Credential Theft:

  • Overlay attacks on banking apps- Credential capture through fake login screens- Combined with OTP interception for complete account takeover

This combination of surveillance and financial theft is relatively unique. It suggests the developers are targeting criminals who want both intelligence and profit, or building a platform versatile enough for any buyer’s needs.

How ZeroDayRAT Infects Devices

Understanding infection vectors is crucial for prevention. ZeroDayRAT spreads primarily through social engineering attacks that trick users into installing malicious apps.

Primary Infection Vectors

Smishing (SMS Phishing): The most common infection method. Targets receive text messages containing links that lead to:

  • Fake app updates (“Your WhatsApp needs updating”)- Package delivery notifications- Banking security alerts- Prize or reward claims

When users click and install the linked “app,” they’re actually installing ZeroDayRAT.

Email Phishing: Traditional phishing emails directing users to download malicious apps disguised as:

  • Security updates- Productivity tools- Required business applications

Fake App Stores: Malicious websites mimicking legitimate app stores (Google Play, App Store) but serving infected apps. These often rank well in search results for popular app names.

Messaging App Distribution: Links shared through WhatsApp, Telegram, or other messaging platforms, often from compromised contacts or in groups.

iOS-Specific Infections

Apple’s closed ecosystem provides significant protection, but ZeroDayRAT can still reach iOS devices through:

Enterprise Provisioning Abuse: Organizations can distribute apps to employees without going through the App Store. Attackers abuse this capability by:

  1. Creating fake enterprise certificates2. Tricking targets into installing enterprise profiles3. Distributing malware as “enterprise apps”

If you see a prompt asking you to trust an enterprise developer you don’t recognize—don’t.

Jailbreak Exploitation: Jailbroken devices lose iOS security protections, making them vulnerable to app installation from any source.

Android-Specific Infections

Android’s more open architecture creates additional attack surface:

Unknown Sources: Android allows installation from sources outside Google Play, but this must be explicitly enabled. Attackers social-engineer users into:

  1. Going to Settings → Security2. Enabling “Unknown Sources” or “Install from unknown apps”3. Installing the malicious APK

Third-Party App Stores: Alternative Android app stores may host trojanized versions of popular apps.

Direct APK Installation: Links that download APK files directly, often disguised as game mods, free premium apps, or required “updates.”

What the Malware Looks Like

Once installed, ZeroDayRAT often disguises itself as innocent system utilities:

  • Calculator apps- Calendar apps- System Update tools- Battery optimizers- Flash utilities

These disguises help the malware blend in with legitimate apps while requesting extensive permissions.

Comparison: ZeroDayRAT vs. Commercial Spyware Giants

How does ZeroDayRAT compare to the established commercial surveillance vendors? Understanding this context helps appreciate both the threat and the shifting landscape.

Feature Comparison

Capability ZeroDayRAT Pegasus (NSO) Predator (Intellexa) Hermit (RCS Lab)

Platform Support Android 5-16, iOS ≤26 iOS, Android iOS, Android iOS, Android

Zero-Click Exploits Not confirmed Yes Yes Some

Real-Time Surveillance Yes Yes Yes Yes

Financial Theft Yes No No No

OTP Interception Yes Yes Yes Yes

Location Tracking Yes Yes Yes Yes

Keylogging Yes Yes Yes Yes

Sales Model Telegram Government contracts Government contracts Government contracts

Buyer Vetting None Claimed Claimed Claimed

US Sanctions No Entity List OFAC 2024 No

Key Differences

1. Zero-Click vs. Social Engineering

The most sophisticated commercial spyware (Pegasus, Predator) can infect devices with zero-click exploits—no user interaction required. A specially crafted message to iMessage or WhatsApp can compromise the device silently.

ZeroDayRAT, based on current analysis, appears to require user interaction: clicking a link, installing an app, or granting permissions. This is a significant limitation that makes defense more straightforward—but social engineering remains highly effective.

2. Financial Theft Module

Traditional commercial spyware vendors market to governments for intelligence collection. They’re not in the business of stealing crypto or bank credentials—that would undermine their legitimate-vendor positioning.

ZeroDayRAT’s inclusion of financial theft capabilities suggests either:

  • Criminal monetization beyond surveillance- Broader buyer appeal (criminals, not just governments)- A feature set designed for maximum versatility

3. Accessibility

This is the critical difference. Pegasus reportedly costs $500,000+ per target and requires government-level relationships. Even if you wanted to buy Pegasus for stalking or corporate espionage, you couldn’t.

ZeroDayRAT’s Telegram sales model means anyone with the purchase price and basic computer literacy can deploy sophisticated mobile surveillance. This democratization is the real threat.

Regulatory Exposure

The established vendors face increasing legal pressure:

  • NSO Group: Placed on US Commerce Department Entity List (2021), subject to multiple lawsuits including from Apple- Intellexa/Predator: Sanctioned by US Treasury OFAC (March 2024) for “enabling targeted and mass surveillance”- ZeroDayRAT: Operating in the shadows of Telegram with no regulatory exposure

Despite sanctions, Intellexa was reportedly “resurgent” by 2025 (per ICIJ investigation). The underground market represented by ZeroDayRAT is even harder to regulate.

How to Detect ZeroDayRAT Infection

While specific Indicators of Compromise (IOCs) for ZeroDayRAT haven’t been publicly released, general principles for detecting mobile spyware apply. Here’s what to watch for:

Behavioral Indicators

These warning signs might indicate your device is compromised:

Battery & Performance:

  • Unusual or rapid battery drain- Device overheating when not in heavy use- Slow performance degradation- Frequent crashes or freezes

Network Activity:

  • Unexpected cellular data usage- WiFi data spikes with no clear cause- Mobile data usage while device should be idle

Strange Device Behavior:

  • Camera or GPS activating unexpectedly- Microphone access indicator appearing randomly (iOS)- Random reboots- Difficulty fully powering off the device- Screen lighting up with no notification

Call Quality:

  • Unusual noises during calls (clicking, static)- Echo or distortion- Delays in call connection

Android Detection Checklist

  1. Check Unknown Sources:
  • Settings → Security → Unknown Sources- This should be DISABLED unless you specifically need it2. Review Special App Access:
  • Settings → Apps → Special Access → Install unknown apps- Review which apps have this permission- Revoke from any apps that don’t need it3. Audit Installed Apps:
  • Look for apps you don’t remember installing- Check for generic-named apps (Calculator, Calendar, System Update) with excessive permissions- Remove anything suspicious4. Check Accessibility Services:
  • Settings → Accessibility- Review what apps have accessibility access- This permission enables extensive device control5. Run Security Scans:
  • Install Malwarebytes, Bitdefender, or similar- Perform full device scan- Review any flagged items

iOS Detection Checklist

  1. Check Device Management:
  • Settings → General → VPN & Device Management- You should see no profiles unless your employer/school manages your device- Unknown enterprise profiles are a major red flag2. Review Installed Apps:
  • Look for unfamiliar apps on home screen- Check for apps that might be hiding in folders- Enterprise apps appear with “Installed by [Organization]” label3. Verify No Jailbreak:
  • Look for Cydia, Sileo, or other jailbreak-related apps- Jailbreaks remove critical security protections4. Check for Profile-Based Attacks:
  • Settings → General → Profiles- Unknown profiles may indicate compromise attempt5. Consider Lockdown Mode (if high-risk):
  • Settings → Privacy & Security → Lockdown Mode- Dramatically reduces attack surface- More on this below

Professional Detection Tools

Tool Platform Description Best For

iVerify iOS, Android Mobile EDR with threat detection and forensics Everyone (consumer and enterprise versions)

MVT (Mobile Verification Toolkit) iOS, Android Amnesty International’s forensic tool using public IOCs Technical users, forensic investigation

Malwarebytes Mobile Android Malware scanning and removal Android users wanting free scanning

Bitdefender Mobile Security Android, iOS Real-time protection and spyware detection Users wanting continuous protection

Lookout Security Android, iOS Mobile threat protection Enterprise and consumer

MVT (Mobile Verification Toolkit)

For technical users or incident response, Amnesty International’s MVT provides forensic analysis capabilities:

# Install MVT (requires Python 3.6+)
pip install mvt

# Check Android backup
mvt-android check-backup /path/to/backup

# Check iOS backup (requires iTunes backup)
mvt-ios check-backup /path/to/backup

MVT checks backups against known indicators of compromise from documented spyware campaigns. While ZeroDayRAT-specific IOCs aren’t yet available, MVT remains valuable for detecting known threats and will likely be updated as IOCs emerge.

Complete Defense Checklist

This section provides actionable steps for protecting yourself against ZeroDayRAT and similar mobile spyware. Different risk levels require different measures.

For Everyone: Basic Mobile Hygiene

These steps should be standard practice for all smartphone users:

Keep Everything Updated

Platform How to Update

Android Settings → System → Software Update

iOS Settings → General → Software Update

Updates patch security vulnerabilities that spyware exploits. Don’t delay them.

Lock Down Unknown Sources (Android)

  • Settings → Security → Unknown Sources = OFF- Only enable temporarily when you specifically need to install a legitimate app from outside Play Store- Disable immediately after

Review and Revoke Permissions

Android: Settings → Apps → Permissions iOS: Settings → Privacy

Review each permission category (Location, Camera, Microphone, Contacts) and revoke access from apps that don’t need it. Ask yourself: “Does this app need this permission to function?”

Use Strong Authentication

  • Alphanumeric passcode (not 4-6 digit PIN)- Biometrics (Face ID, fingerprint) for convenience- The passcode protects if biometrics fail or while sleeping

The primary infection vector is social engineering. Treat every unexpected link with suspicion:

  • Text from unknown number with link? Delete.- Email about package delivery you weren’t expecting? Verify through official app.- Message from friend with uncharacteristic link? Call them to verify.- “Security alert” requiring immediate action? Open the official app directly instead.

Verify Before Installing

  • Download apps only from official stores (Google Play, App Store)- Check reviews, download counts, and developer reputation- Be suspicious of apps requesting excessive permissions- If an app asks for accessibility services, question why

For High-Risk Individuals: Enhanced Protection

If you’re a journalist, activist, executive, attorney, government employee, or anyone who might be specifically targeted, additional measures are warranted.

Enable iOS Lockdown Mode (Critical)

For iPhone users facing elevated threats, Lockdown Mode is Apple’s nuclear option:

Settings → Privacy & Security → Lockdown Mode → Turn On Lockdown Mode

What Lockdown Mode does:

  • Messages: Blocks most attachments except images; disables link previews- Web Browsing: Disables just-in-time JavaScript compilation and other complex web technologies- Apple Services: Blocks incoming FaceTime calls from people you haven’t called before- Connections: Blocks wired connections when device is locked- Profiles: Prevents installation of configuration profiles

Apple states Lockdown Mode “strictly limits certain functionalities, sharply reducing the attack surface that potentially could be exploited by highly targeted mercenary spyware.”

This will impact your device experience—some websites won’t work properly, some features will be disabled—but for high-risk individuals, this trade-off is worth it.

Deploy Mobile Security Software

Don’t rely on manual checks alone. Install a dedicated mobile security app:

  • iVerify - Purpose-built for detecting commercial spyware- Lookout - Enterprise-grade mobile threat detection- Bitdefender - Real-time protection across platforms

Use Signal for Sensitive Communications

End-to-end encrypted messaging protects message content in transit. While ZeroDayRAT can capture notifications on infected devices, using Signal means:

  • Messages are encrypted until they reach the endpoint- If one device is compromised, conversation history isn’t stored on servers- Disappearing messages limit exposure window

Physical Security Matters

  • Never leave your device unattended- Be cautious of repair services—use only authorized providers- Consider a secondary “clean” device for the most sensitive activities- Disable biometric unlock in high-risk situations (police interactions, border crossings)

Regular Forensic Checks

  • Run security scans weekly- Consider periodic MVT analysis- Watch for behavioral indicators (battery, heat, data usage)- If concerned, seek professional forensic analysis

For Organizations: Enterprise Protection

Organizations should implement systematic mobile security:

Deploy Mobile Device Management (MDM)

  • Enforce security policies across fleet- Require OS updates within defined timeframe- Block installation from unknown sources- Remote wipe capability for lost/stolen devices

Implement Mobile Threat Defense (MTD)

Real-time threat detection that integrates with MDM:

  • Detect malicious apps before they run- Identify network-based attacks- Alert on suspicious device behavior

Security Awareness Training

Users are the primary attack vector. Training should cover:

  • Recognizing smishing and phishing attempts- Safe app installation practices- Reporting suspicious messages- Understanding why policies exist

BYOD Security Policies

Personal devices accessing corporate resources need:

  • Minimum OS version requirements- Security app installation requirement- Prohibition on jailbreaking/rooting- Container solutions for corporate data

Incident Response Plan

Document procedures for suspected mobile compromise:

  1. Containment (remove from network)2. Evidence preservation (backup before any changes)3. Forensic analysis (professional if warranted)4. Credential rotation (assume all device credentials compromised)5. Device remediation or replacement

The Bigger Picture: Commercial Spyware in 2026

ZeroDayRAT doesn’t exist in isolation. It’s the latest evolution in a commercial spyware industry that has grown increasingly sophisticated—and increasingly accessible—over the past decade.

A Brief History

2010-2015: Early Days

  • FinFisher and Hacking Team sell surveillance tools to governments- Tools leak, revealing sales to authoritarian regimes- Citizen Lab begins documenting abuses

2016-2021: Industrialization

  • NSO Group’s Pegasus becomes prominent- Zero-click exploits enable silent infection- July 2021: Pegasus Project reveals 50,000+ surveillance targets

2022-2024: Regulatory Response

  • US places NSO Group on Entity List- Treasury sanctions Intellexa/Predator (March 2024)- EU investigates Predator abuses

2025-2026: Fragmentation

  • Established vendors restructure to evade sanctions- Underground market grows on Telegram- ZeroDayRAT emerges as accessible alternative

Current Industry Landscape

Despite sanctions and public exposure, the commercial spyware industry continues:

Established Vendors Persist: ICIJ reported in August 2025 that Intellexa was “resurgent” despite US sanctions. Corporate restructuring and geographic relocation allow continued operation.

Underground Markets Flourish: As noted by BroadChannel and Brandefense, Telegram has become “the #1 hub for cybercrime in 2025” following closure of traditional forums. Spyware-as-a-service fits naturally in this ecosystem.

Mobile Threats Explode: Malwarebytes reported a 151% increase in Android malware during 2025, with spyware specifically up 147%. Kaspersky documented 12.18 million users encountering mobile threats in Q1 2025 alone.

Regulatory Reality

The regulatory response, while well-intentioned, faces fundamental challenges:

Jurisdiction: Spyware developers operate across borders. US sanctions mean little to a Telegram-based vendor operating from a non-cooperative jurisdiction.

Technical Arms Race: Each patched vulnerability prompts development of new exploits. Security is a continuous battle, not a solved problem.

Demand: Governments, corporations, and criminals want these capabilities. As long as demand exists, supply will follow.

Fragmentation: Sanctions on established vendors push development underground, making tracking and regulation even harder.

What This Means For You

The commercial spyware industry exists because it serves powerful interests. Whether you’re targeted depends on who you are, what you do, and what information you possess.

Most People: You’re unlikely to face nation-state level targeting. But ZeroDayRAT’s accessibility means sophisticated surveillance is no longer limited to governments. A jealous ex-partner, unethical employer, or criminal enterprise can potentially deploy these capabilities.

High-Risk Individuals: If your work or activities might attract targeting—journalism, activism, legal work, political involvement, executive positions—you face genuine risk. The steps in this guide aren’t paranoia; they’re prudent security hygiene.

Everyone: Mobile devices contain our most intimate digital lives. Understanding threats like ZeroDayRAT helps make informed decisions about security trade-offs.

Signs You May Be a Target

Consider your risk level honestly. You may face elevated targeting if you are:

  • A journalist, especially covering sensitive topics- [ ] A human rights activist or NGO worker- [ ] A political figure, campaign staff, or government employee- [ ] A corporate executive with access to sensitive information- [ ] An attorney working on high-profile cases- [ ] A researcher in sensitive fields- [ ] An individual in a contentious legal or custody dispute- [ ] Someone who has recently left a relationship with a controlling partner

If two or more apply: Seriously consider iOS Lockdown Mode and professional security assessment.

If You Suspect Infection

If you believe your device may be compromised:

Immediate Steps

  1. Don’t tip off the attacker. Avoid discussing your suspicions on the potentially compromised device. The operator can see everything you type.2. Document everything. Note unusual behaviors with timestamps. This information helps forensic analysts.3. Use a clean device for sensitive communications. Borrow a friend’s phone or buy a prepaid device for immediate needs.4. Don’t immediately factory reset. Resetting erases forensic evidence. If possible, get professional analysis first.5. Change critical credentials from a clean device: Email passwords, banking logins, social media accounts. Assume everything on the compromised device is known to the attacker.

Getting Help

Resource Contact Best For

Access Now Digital Security Helpline help@accessnow.org Journalists, activists, human rights defenders

EFF Legal Assistance eff.org/pages/legal-assistance Legal guidance on digital rights

Citizen Lab citizenlab.ca Research and exposure of spyware

FBI IC3 ic3.gov Reporting cybercrime (US)

Domestic Violence Warning

If you suspect stalkerware related to domestic abuse:

⚠️ Removing spyware may alert your abuser. This could escalate danger.

Before taking any action:

  • National Domestic Violence Hotline: 1-800-799-7233- Safety plan first, technical remediation second- Consider working with a domestic violence advocate who can coordinate with technical specialists

Your safety is more important than your phone.

Key Takeaways

  1. ZeroDayRAT represents a new accessibility threshold. Nation-state surveillance capabilities are now available through Telegram with no buyer vetting.2. The threat is comprehensive. Real-time camera/mic access, GPS tracking, keystroke logging, and financial theft combine into total device compromise.3. Social engineering is the primary vector. Most infections require user action—clicking links, installing apps, granting permissions. Your behavior is your first defense.4. Defense is possible. Basic hygiene (updates, permission review, link skepticism) protects against most attacks. High-risk individuals should enable iOS Lockdown Mode.5. The industry continues evolving. Sanctions pressure established vendors while underground markets flourish. This threat isn’t going away.6. Know your risk level. Most people aren’t individually targeted. Those who might be should take proportional precautions.

Your smartphone knows more about you than you might realize—where you go, who you talk to, what you think, what you buy. Protecting it isn’t paranoia. It’s prudent digital hygiene in 2026.

Further Reading

Frequently Asked Questions

Q: Can ZeroDayRAT infect my phone without me clicking anything?

Based on current analysis, ZeroDayRAT appears to require some user interaction (clicking a link, installing an app, granting permissions). This differs from zero-click exploits used by Pegasus. However, the sophistication of social engineering attacks makes “just don’t click” harder than it sounds.

Q: Does iOS protect me better than Android?

iOS’s closed ecosystem provides meaningful security advantages—apps only from App Store, no unknown sources option, tighter sandboxing. However, ZeroDayRAT specifically claims iOS support through version 26. No platform is immune. iOS users should still follow all protective measures and consider Lockdown Mode if high-risk.

Q: I have nothing to hide. Why should I care?

Everyone has something private—medical information, financial details, intimate conversations, business discussions. More importantly, privacy isn’t just about hiding wrongdoing. It’s about maintaining autonomy and dignity. Do you want a random Telegram buyer watching your camera feed?

Q: Will factory reset remove the infection?

Usually yes—a full factory reset should remove most malware. However: (1) You lose forensic evidence that could be valuable; (2) If you restore from backup, you might reinstall the malware; (3) Some sophisticated spyware can survive resets through firmware compromise, though this is rare.

Q: How much does ZeroDayRAT cost?

Pricing hasn’t been publicly reported. Given the Telegram marketplace model, it’s likely far cheaper than commercial vendors like NSO Group ($500K+ per target), making it accessible to a much broader range of buyers.

Q: My ex is tech-savvy and I’m worried. What should I do?

Take this seriously. Review the domestic violence warning section above and contact the National DV Hotline before making technical changes. A domestic violence advocate can help you safety plan and coordinate with technical specialists. Your physical safety comes first.

This article will be updated as new information about ZeroDayRAT emerges, including specific Indicators of Compromise when released by security researchers. Stay safe out there.