{"description":"Trending threats, MITRE ATT\u0026CK coverage, and detection metadata. Fed continuously.","feed_url":"https://feed.craftedsignal.io/tags/btmob/feed.json","home_page_url":"https://feed.craftedsignal.io/","items":[{"_cs_actors":[],"_cs_cpes":[],"_cs_cves":[],"_cs_exploited":false,"_cs_has_poc":false,"_cs_poc_references":[],"_cs_products":["Google Play"],"_cs_severities":["high"],"_cs_tags":["android","rat","malware","maas","btmob","trojan"],"_cs_type":"advisory","_cs_vendors":["Google"],"content_html":"\u003cp\u003eBTMOB is an Android Remote Access Trojan (RAT) that has evolved from the SpySolr malware, first described in February 2025. Unlike banking trojans, BTMOB offers adversaries a broader range of options, including exfiltration of sensitive data, screen capture, activity recording, and remote device control. The RAT is sold with an APK builder interface, enabling anyone to generate new payloads and tailor phishing lures for specific regions without requiring coding skills. BTMOB is marketed as a software product via promotional pages and social media platforms, with license fees reported around $5,000 plus monthly support, lowering the barrier for less sophisticated adversaries. In January 2026, claims surfaced of BTMOB-related files being offered for free on a dark web forum, indicating a risk of wider availability. ESET products detect the primary tool as MSIL/BtmobRat, while related Android variants trigger detections such as Android/Spy.Agent.EED, Android/Spy.Agent.EIJ and Android/Spy.Agent.EIK.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eThe attacker designs a phishing website impersonating a streaming service or cryptocurrency mining platform.\u003c/li\u003e\n\u003cli\u003eThe victim receives a link to the phishing website via email, messaging app, or social media.\u003c/li\u003e\n\u003cli\u003eThe victim is redirected to a fake app store mimicking legitimate repositories like Google Play.\u003c/li\u003e\n\u003cli\u003eThe victim is prompted to download and install a malicious APK file containing the BTMOB RAT.\u003c/li\u003e\n\u003cli\u003eUpon installation, BTMOB requests extensive permissions, abusing Android Accessibility Services to gain elevated access without further user interaction.\u003c/li\u003e\n\u003cli\u003eBTMOB gains control of the device, enabling data exfiltration, screen capture, and activity recording.\u003c/li\u003e\n\u003cli\u003eThe attacker can remotely control the device to perform unauthorized actions or access sensitive information.\u003c/li\u003e\n\u003cli\u003eThe attacker exfiltrates data from the compromised device.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eCompromised Android devices can lead to significant data breaches, financial loss, and privacy violations. BTMOB allows attackers to steal credentials, intercept communications, capture sensitive information displayed on the screen, and remotely control the device. The malware\u0026rsquo;s ability to adapt phishing lures quickly and its availability as a MaaS platform expands its reach and impact, affecting users who are lured into installing the application under false pretenses. Successful attacks could expose sensitive corporate data if employees use their devices for work purposes.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eBlock the listed IP addresses and domain at network perimeters based on the IOC table to prevent communication with known BTMOB infrastructure.\u003c/li\u003e\n\u003cli\u003eDeploy the Sigma rule \u0026ldquo;Detect BTMOB Installation via PackageInstaller\u0026rdquo; to detect BTMOB RAT installation attempts based on package names.\u003c/li\u003e\n\u003cli\u003eImplement policies mandating that users download software exclusively from official repositories like Google Play to prevent installations from fake app stores.\u003c/li\u003e\n\u003cli\u003eEducate users to treat unsolicited links delivered via email, messaging apps, social media, and targeted advertisements with suspicion.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-05-27T06:58:01Z","date_published":"2026-05-27T06:58:01Z","id":"https://feed.craftedsignal.io/briefs/2026-05-btmob-android-rat/","summary":"BTMOB is a Malware-as-a-Service (MaaS) Android RAT, first observed in February 2025, that uses phishing lures and the abuse of Android Accessibility Services to gain control of devices for data exfiltration, screen capture, and remote access.","title":"BTMOB Android RAT: MaaS Platform Targeting Android Devices","url":"https://feed.craftedsignal.io/briefs/2026-05-btmob-android-rat/"}],"language":"en","title":"CraftedSignal Threat Feed — Btmob","version":"https://jsonfeed.org/version/1.1"}