We’re joined today by Rupert Marais, our in-house security specialist, to discuss an alarming new trend in mobile threats. A new form of spyware, dubbed ZeroDayRAT, is being sold openly on platforms like Telegram, essentially packaging sophisticated surveillance tools for a mass-market criminal audience. We’ll explore how this “malware-as-a-service” model democratizes cybercrime, the specific ways it compromises devices to bypass security like multi-factor authentication, and the significant risks this poses not just to individuals but to corporations through bring-your-own-device policies. This development signals a dangerous convergence of nation-state-level capabilities with street-level criminal economics, changing the landscape of mobile security.
Spyware like ZeroDayRAT is reportedly sold on platforms like Telegram with full customer support. How does this “malware-as-a-service” model, which requires no technical expertise from buyers, change the threat landscape for ordinary individuals and businesses?
It fundamentally shatters the barrier to entry for serious cybercrime. In the past, deploying sophisticated spyware required a significant level of technical skill. Now, we’re seeing these tools sold as a complete package on public forums. For a couple of thousand dollars, a buyer gets the malware, a user-friendly control panel, and even a customer support channel. This means the attacker no longer needs to be a hacker; they just need a motive and the funds. For an individual, this is terrifying. It means a disgruntled acquaintance or a stalker can gain total access to their life. For businesses, an employee’s device becomes a wide-open door. Imagine a competitor using this to steal trade secrets or an insider threat gaining leverage—it’s a devastating vector for credential theft and data exfiltration, all facilitated by a simple, off-the-shelf purchase.
Given that attackers use smishing and fake app links to deploy malware, what specific red flags should users look for in these messages? Can you walk us through the step-by-step process of how a user’s device becomes compromised from a single click?
The process is deceptively simple and preys on our trust and inattention. It all starts with a text message, what we call ‘smishing,’ or perhaps a link shared on WhatsApp. The message will create a sense of urgency—a missed delivery, a bank account warning, or a special offer. The red flag is always the unsolicited nature and the push to click a link. Once you click, you’re taken to a page that prompts you to download what looks like a legitimate app, like a system update or a new photo editor. On Android, this would be an APK file. You install it, grant it permissions because it seems harmless, and that’s the moment of infection. The spyware immediately burrows into your device, and from that point on, the attacker has a direct line to your digital life. They can see everything, from your device model and location down to a live feed of your microphone and screen.
Spyware is now gaining complete control over a device’s SMS functions, effectively bypassing multi-factor authentication. What does this mean for the security of accounts that rely on SMS for verification, and what alternative verification methods should organizations prioritize instead?
It means that SMS-based multi-factor authentication is becoming critically vulnerable. We’ve treated it as a reliable second layer of security for years, but when malware like ZeroDayRAT can intercept and even send text messages directly from your device, that layer crumbles. The attacker doesn’t need to hack the cell network; they simply read the verification code as it arrives on your phone, using it to log into your bank, email, or corporate accounts. For organizations, this is a clear signal to move away from SMS as a primary MFA method. They should be prioritizing stronger, more resilient alternatives. This includes authenticator apps that generate time-based codes locally on the device, or even better, physical security keys that require hardware to be present for authentication. These methods remove the SMS message from the equation, making it far more difficult for an attacker to complete an account takeover.
When a tool is described as “textbook stalkerware,” it targets specific vulnerable groups like journalists and activists. Beyond these individuals, how does this threat extend to corporations through loose BYOD policies, and what are the primary risks for an enterprise?
The term “stalkerware” immediately brings to mind individuals—journalists, activists, or victims of domestic abuse—and they are absolutely prime targets. However, the corporate risk is immense and often overlooked. Many companies have embraced “Bring Your Own Device” policies for convenience and cost-saving, but without strict management, they are creating a massive security gap. When an employee’s personal device, which they use for work email and accessing company data, gets infected with ZeroDayRAT, the line between personal and corporate security is erased. The primary risks are immediate and severe: credential theft from corporate apps, account takeover of executive-level employees, and massive data exfiltration. The attacker has a keylogger, screen recorder, and access to everything on that phone, making it a perfect vector to pivot from the employee’s device directly into the heart of the corporate network.
A tool with extensive surveillance capabilities is priced around a couple of thousand dollars, suggesting a convergence of nation-state-level features with criminal economics. What does this trend signal about the future of cybercrime, and how can smaller businesses with limited resources defend against such potent threats?
This trend is incredibly concerning. It signals the commoditization of high-level cyber-espionage tools. Features that were once the exclusive domain of government intelligence agencies are now being packaged and sold to anyone with $2,000, from private investigators to corporate spies and organized criminals. The future of cybercrime looks less like lone-wolf hackers and more like a service-based economy where powerful attacks can be launched by non-technical actors. For smaller businesses with limited budgets, this is a daunting challenge. They can’t afford enterprise-grade security suites, but they can’t afford to be defenseless either. The key is to focus on the fundamentals: first and foremost, user education is critical. Familiarizing employees with social engineering tactics is the most cost-effective defense. Beyond that, implementing a mobile endpoint security tool and enforcing strict app vetting, even on personal devices used for work, can provide a crucial layer of protection against these increasingly accessible and dangerous threats.
What is your forecast for the mobile spyware market?
My forecast is that this market will continue to expand and become even more accessible. The “malware-as-a-service” model is simply too profitable and effective for criminals to abandon. We’re going to see more sophisticated features, previously only seen in state-sponsored attacks, trickle down into these commercial spyware packages at even lower price points. The line between cybercrime and traditional crime will blur further, as these tools empower everything from financial fraud to industrial espionage and personal stalking. Consequently, mobile device security can no longer be an afterthought; it must be treated with the same urgency and seriousness as traditional endpoint and network security. The battleground has firmly shifted to the devices in our pockets, and both individuals and organizations need to adapt to this reality, and fast.
