New BTMOB Malware Lets Attackers Remotely Control Android Devices

New Android malware dubbed BTMOB is arming even low-skilled attackers with full remote control over infected phones by combining a powerful RAT engine with a no-code campaign builder toolkit.

The threat, first seen in 2025, is now evolving rapidly through a malware-as-a-service (MaaS) model and active phishing campaigns worldwide.

BTMOB is an Android remote access trojan (RAT) that evolved from the SpySolr family and was first documented in early 2025.

Unlike classic banking trojans focused only on financial data, BTMOB is designed for full device surveillance and control.

The malware can exfiltrate a wide range of sensitive data, capture screenshots, record on-device activity, and give operators persistent remote access to the compromised phone.

Researchers note that its capabilities rival those of desktop-grade RATs, making it a high-impact threat to both consumers and enterprises.

A key feature that sets BTMOB apart is its commercial packaging as a MaaS product with an integrated APK builder.

Buyers can generate new malicious APK payloads and customize phishing lures for specific countries without writing any code, drastically lowering the barrier to entry.

The tool is marketed via a promotional page on the open web that funnels buyers to Telegram, along with seller accounts on social platforms like X and Instagram.

Reports indicate lifetime licenses around 5,000 USD, a relatively low cost compared to the potential fraud profits a successful campaign can generate.

BTMOB Malware Hijacks Android Devices

BTMOB relies heavily on social engineering and phishing-led delivery. Operators steer victims to phishing sites that impersonate streaming services, cryptocurrency platforms, or other familiar brands, then redirect them to fake app stores pushing malicious APKs.

Attackers adapt lures to local contexts, including campaigns spoofing tax or government agencies in countries such as Argentina and other regions highlighted by national cyber agencies.

Once the victim sideloads the APK, the malware requests extensive permissions and abuses Android’s Accessibility Services to grant itself additional privileges silently.

Once installed, BTMOB establishes command-and-control channels to allow real-time remote administration of the device.

Operators can view the screen, interact with apps, harvest credentials through overlays, intercept messages, and exfiltrate files and device data.

By weaponizing Accessibility Services, BTMOB can manipulate UI elements, approve permissions, and execute actions without user interaction, while also conducting overlay attacks against banking and payment apps to steal credentials and one-time codes.

Some variants can download additional modules, extending capabilities based on each campaign’s goals.

Because BTMOB is sold as a builder-based MaaS platform, new payload variants can be generated quickly, enabling rapid turnover of indicators of compromise (IOCs).

Infrastructure IOCs

Domains

• arbsniper[.]com

IP Addresses

• 74.125.202[.]103
• 142.251.183[.]138
• 173.194.193[.]138
• 173.194.206[.]106
• 178.156.177[.]192
• 191.101.131[.]250
• 195.160.221[.]203
• 104.21.64[.]137
• 173.194.194[.]94
• 191.96.224[.]87
• 191.96.225[.]241
• 191.96.78[.]172
• 191.96.78[.]28
• 191.96.79[.]133
• 191.96.79[.]179
• 191.96.79[.]41
• 192.178.209[.]95
• 200.9.155[.]153
• 74.125.132[.]95
• 78.135.93[.]123
• 79.133.57[.]141

File Hash IOCs

SHA256 Hashes

• 58AC130A8EBB09E37592AC69841483EDC5695D1545B1F04F23D5B760AC17CD94
• 0A542751724A432A8448324613E0CE10393E41739A1800CBB7D5A2C648FCDC35
• A764D73795ABE47AE640BA09999A18C47B5340E5ECC7B897AFEBF34F3F37638F
• 26A2268281E8043125EF72B92F8980B42912048753D56894BC378FB54C7C188A
• 6AE94CE710016D86ED7457236DEEF2C4C51478587F3609B6E827A348828B3931
• E5A9FDFF900DD502E8F3DCE52D2D1B69AA9AFAFB5094A28F9037E8770DB0E63B
• C6199E175FB988CBBEACDF0F5ACDF9ED83F5BDAAE5C95B7A6C27EE72CD11B0B1
• 6BBA64FA9E8A7B11CB2476CD071DE08986DB44B0783EFF211C68FA5594EF8143
• 5AAAF972C8BF39A98F2748E526DE3CC0370BA831997D7D9765CDABA599645C0D
• DDCE0219923D152B8FACD303F058A6286CF1F6924992B9FB9F5BF4D96436CC39

Detection IOCs

ESET Signatures

• Android/Agent.FQK
• Android/TrojanDropper.Agent.NES
• Android/Spy.Agent.EIJ
• Android/Spy.Agent.EIK
• Android/TrojanDropper.Agent.NDK
• Android/Spy.Spysolr.A
• Android/Spy.Agent.EUG
• Android/Spy.Agent.EWN
• Android/Spy.Agent.FFE
• Android/Spy.Agent.FFL

Note: IP addresses and domains are intentionally defanged (e.g., [.]) to prevent accidental resolution or hyperlinking. Re-fang only within controlled threat intelligence platforms such as MISP, VirusTotal, or your SIEM.

Security vendors have observed multiple versions, including BTMOB v2.5, within short timeframes, as operators iterate on payloads and evasion techniques.

According to WeLiveSecurity by ESET in a report shared with Cyber Security News, BTMOB-related samples are detected under families such as MSIL/BtmobRat and multiple Android/Spy.Agent or Android/TrojanDropper signatures, reflecting links to earlier SpySolr-based malware.

Analysts warn that leaked or pirated copies circulating on forums could further broaden access and inspire copycat toolchains.

How Can Stay Safe

Defenders are urged to enforce strict app-sourcing policies and raise user awareness.

Organizations should mandate installation only from official stores, block sideloading where possible, and train users to treat unsolicited links and “free” streaming or crypto apps with skepticism.

Mobile security solutions with behavioral detection and accessibility-abuse monitoring can help spot BTMOB-like threats.

While enterprises should treat smartphones as high-value endpoints, they should apply the same logging, EDR-style monitoring, and incident response playbooks used for laptops and servers.

Given BTMOB’s builder-driven evolution, defenders should combine up-to-date IOCs with anomaly-based detection to keep pace with new variants.

Follow us on Google News, LinkedIn, and X to Get More Instant Updates.