BTMOB Android RAT: MaaS Platform Targeting Android Devices

BTMOB is an Android Remote Access Trojan (RAT) that has evolved from the SpySolr malware, first described in February 2025. Unlike banking trojans, BTMOB offers adversaries a broader range of options, including exfiltration of sensitive data, screen capture, activity recording, and remote device control. The RAT is sold with an APK builder interface, enabling anyone to generate new payloads and tailor phishing lures for specific regions without requiring coding skills. BTMOB is marketed as a software product via promotional pages and social media platforms, with license fees reported around $5,000 plus monthly support, lowering the barrier for less sophisticated adversaries. In January 2026, claims surfaced of BTMOB-related files being offered for free on a dark web forum, indicating a risk of wider availability. ESET products detect the primary tool as MSIL/BtmobRat, while related Android variants trigger detections such as Android/Spy.Agent.EED, Android/Spy.Agent.EIJ and Android/Spy.Agent.EIK.

Attack Chain

1. The attacker designs a phishing website impersonating a streaming service or cryptocurrency mining platform.
2. The victim receives a link to the phishing website via email, messaging app, or social media.
3. The victim is redirected to a fake app store mimicking legitimate repositories like Google Play.
4. The victim is prompted to download and install a malicious APK file containing the BTMOB RAT.
5. Upon installation, BTMOB requests extensive permissions, abusing Android Accessibility Services to gain elevated access without further user interaction.
6. BTMOB gains control of the device, enabling data exfiltration, screen capture, and activity recording.
7. The attacker can remotely control the device to perform unauthorized actions or access sensitive information.
8. The attacker exfiltrates data from the compromised device.

Impact

Compromised Android devices can lead to significant data breaches, financial loss, and privacy violations. BTMOB allows attackers to steal credentials, intercept communications, capture sensitive information displayed on the screen, and remotely control the device. The malware’s ability to adapt phishing lures quickly and its availability as a MaaS platform expands its reach and impact, affecting users who are lured into installing the application under false pretenses. Successful attacks could expose sensitive corporate data if employees use their devices for work purposes.

Recommendation

• Block the listed IP addresses and domain at network perimeters based on the IOC table to prevent communication with known BTMOB infrastructure.
• Deploy the Sigma rule “Detect BTMOB Installation via PackageInstaller” to detect BTMOB RAT installation attempts based on package names.
• Implement policies mandating that users download software exclusively from official repositories like Google Play to prevent installations from fake app stores.
• Educate users to treat unsolicited links delivered via email, messaging apps, social media, and targeted advertisements with suspicion.