Active Spyware Campaigns Targeting Mobile Messaging Apps and Android Devices
The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has issued an alert regarding a surge in sophisticated spyware campaigns targeting users of popular mobile messaging applications such as Signal, WhatsApp, and Telegram. Threat actors are leveraging commercial spyware and remote access trojans (RATs), employing tactics like social engineering, device-linking QR codes, zero-click exploits, and spoofed app versions to compromise high-value individuals, including government officials. Notable campaigns include the use of Android spyware like ProSpy, ToSpy, and ClayRat, as well as the exploitation of vulnerabilities in iOS, WhatsApp, and Samsung devices to deploy malware such as LANDFALL, with the goal of persistent access and data exfiltration.
In a related development, researchers at Certo Software have identified a new Android RAT dubbed RadzaRat, which masquerades as a legitimate file manager app. RadzaRat provides attackers with full remote control over infected devices, supports large-scale file transfers, and features keylogging capabilities to steal sensitive information. Alarmingly, RadzaRat is currently undetectable by all major antivirus solutions and is openly available for download, increasing the risk of widespread abuse. These findings underscore the growing threat posed by advanced spyware and RATs targeting mobile platforms, often bypassing traditional security defenses and exploiting user trust in legitimate-looking applications.
Get ahead of threats like this
Mallory correlates global threat intelligence with your attack surface — know if you’re exposed before adversaries strike.
How this story unfolded
2 events from the most recent confirmed update back to the earliest known activity.
CISA warns of active mobile spyware campaigns targeting messaging app users
CISA issued an alert about active exploitation of commercial spyware and remote access trojans targeting high-value users of Signal, WhatsApp, and Telegram. The agency said the campaigns affected government, military, political, and civil society targets across the U.S., Middle East, and Europe and highlighted malware families including ProSpy, ToSpy, ClayRat, and RadzaRat.
RadzaRat Android spyware campaign disclosed
Reporting disclosed a spyware campaign involving RadzaRat, an Android malware strain disguised as a file manager application to hijack devices. The campaign was presented as part of the broader trend of mobile spyware abusing fake apps and social engineering to compromise targets.
Related entities
Vulnerabilities, threat actors, malware, products, organizations, and breaches Mallory has linked to this story.
Sources
2 references tracked. Mallory keeps watching after this page renders.
See the full picture, correlated to your attack surface.
Map indicators from this story to your assets and identify affected systems in minutes.
Every observed campaign, victim, and pivot linked to actors named in this story.
Malware, exploits, and IOCs connected to the activity described here.
YARA, Sigma, and Snort rules deployed to your SIEM as soon as they’re published.
Get matching new stories delivered to your team as they break — not the next morning.
Ask questions about this story and take action on the answers.
Related stories
Other stories Mallory is tracking that overlap on entities, sources, or topic labels.
ZeroDayRAT Commercial Mobile Spyware Sold on Telegram
Mobile security researchers reported a newly identified commercial spyware toolkit dubbed **ZeroDayRAT** that provides operators broad, remote control of both **Android and iOS** devices and is being marketed to buyers via **Telegram** channels that include sales, customer support, and updates. Analysis attributed to *iVerify* describes a mass-market packaging of surveillance and info-stealing capabilities typically associated with higher-end commercial spyware, delivered through an operator-facing control panel intended to lower the technical barrier for use. ZeroDayRAT infections are primarily driven by social engineering that tricks victims into installing a malicious mobile binary (e.g., **APK** on Android or an iOS payload), including **smishing** links, phishing emails, fake apps/app stores, and links shared through messaging platforms such as WhatsApp and Telegram. Once installed, the spyware can enable real-time monitoring and data theft, including access to device and SIM details, location tracking, notification/SMS previews, and enumeration of accounts registered on the device—capabilities that can support **account takeover** (including MFA bypass via SMS visibility), targeted social engineering, and theft of banking/cryptocurrency-related data.
Mar 21, 2026
ZeroDayRAT Mobile Spyware Sold on Telegram Targets Android and iOS
Researchers disclosed a new mobile spyware platform dubbed **ZeroDayRAT** that is being openly advertised and sold via Telegram channels, including sales, support, and update streams. iVerify reported first observing activity in early February 2026 and assessed the tool is positioned as a “ready-to-run” cross-platform spyware kit supporting **Android 5–16** and **iOS up to 26**, with a browser-accessible (and in some cases self-hosted) operator panel intended to lower the technical barrier for buyers. ZeroDayRAT’s capabilities include real-time surveillance and data theft: GPS tracking with location history (including Google Maps plotting), notification capture, SMS interception (including **OTP** codes used for 2FA), keylogging, screen recording, and live camera/microphone access. The operator panel also enumerates accounts registered on the device (e.g., Google, WhatsApp, Instagram, Telegram, Amazon and regional payment apps), enabling victim profiling and potential account takeover. Distribution is assessed to rely primarily on social engineering—particularly **smishing** links leading to fake download pages—along with phishing, fake app stores, and malicious links shared via messaging apps, resulting in installation of an Android APK or an iOS payload.
Mar 21, 2026
ClayRat Android Spyware Distributed via Fake Messaging and Social Media Apps
A sophisticated Android spyware campaign known as ClayRat has been identified targeting users in Russia by masquerading as popular applications such as WhatsApp, Google Photos, TikTok, and YouTube. Attackers employ a combination of phishing websites and Telegram channels to lure victims into downloading malicious APK files, often by imitating official app pages and inflating download statistics with fake testimonials. Once installed, ClayRat grants attackers extensive control over the infected device, enabling them to exfiltrate sensitive data including SMS messages, call logs, device information, and notifications. The spyware can also covertly take photos using the device’s front camera and initiate calls or send SMS messages without user consent. Researchers from Zimperium’s zLabs have observed that the malware propagates aggressively by sending malicious links to every contact in the victim’s phone book, leveraging compromised devices as distribution vectors. Over a three-month period, more than 600 unique samples and 50 dropper variants have been detected, with each iteration incorporating new obfuscation techniques to evade security defenses. Some versions of ClayRat act as droppers, presenting a fake Play Store update screen while installing the actual encrypted payload in the background. The campaign exploits Android’s default SMS handler role to bypass platform restrictions and facilitate rapid spread. In certain cases, fake websites offer a counterfeit “YouTube Plus” app with purported premium features, further enticing users to sideload the malware. The attackers’ use of Telegram channels, such as @baikalmoscow, as distribution hubs is notable for its effectiveness in social engineering. The campaign’s rapid evolution and high volume of unique samples indicate a well-resourced and persistent threat actor. Security researchers emphasize the importance of user vigilance, as the malware’s ability to bypass Google’s sideloading protections on Android 13 and later poses a significant risk. The campaign’s focus on Russian users suggests a degree of regional targeting, though the techniques employed could be adapted for broader attacks. The use of fake positive feedback and inflated download numbers on Telegram channels is designed to build trust and lower user skepticism. The technical sophistication of ClayRat, including its modular dropper architecture and obfuscation layers, presents challenges for traditional mobile security solutions. Organizations and individuals are advised to avoid downloading APKs from unofficial sources and to monitor for unusual device behavior. The ongoing development and distribution of ClayRat underscore the evolving threat landscape facing Android users, particularly in regions where sideloading is more common.
Mar 21, 2026