CyberSecurity News

BTMOB Malware Remotely Controls Android Devices Lets Attackers

New Android malware, dubbed BTMOB, is now arming even low-skilled attackers with full remote control over infected phones. Its formidable capabilities arise from combining a powerful Remote Access...

Marcus Rodriguez
Marcus Rodriguez
May 27, 2026 4 Min Read
1 0

New Android malware, dubbed BTMOB, is now arming even low-skilled attackers with full remote control over infected phones. Its formidable capabilities arise from combining a powerful Remote Access Trojan (RAT) engine with a no-code campaign builder toolkit.

Table Of Content

The threat, first seen in 2025, is now evolving rapidly through a malware-as-a-service (MaaS) model and active phishing campaigns worldwide.

BTMOB is an Android remote access trojan (RAT) that evolved from the SpySolr family and was first documented in early 2025.

Unlike classic banking trojans focused only on financial data, BTMOB is designed for full device surveillance and control.

BTMOB APK creation tool(source :.welivesecurity)
BTMOB APK creation tool (source :.welivesecurity)

The malware can exfiltrate a wide range of sensitive data, capture screenshots, record on-device activity, and give operators persistent remote access to the compromised phone.

Researchers note that its capabilities rival those of desktop-grade RATs, making it a high-impact threat to both consumers and enterprises.

A key feature that sets BTMOB apart is its commercial packaging as a MaaS product with an integrated APK builder.

Buyers can generate new malicious APK payloads and customize phishing lures for specific countries without writing any code, drastically lowering the barrier to entry.

The tool is marketed via a promotional page on the open web that funnels buyers to Telegram, along with seller accounts on social platforms like X and Instagram.

 X profile linked to the malware(source :.welivesecurity)
 X profile linked to the malware(source :.welivesecurity)

Reports indicate lifetime licenses around 5,000 USD, a relatively low cost compared to the potential fraud profits a successful campaign can generate.

BTMOB Malware Hijacks Android Devices

BTMOB relies heavily on social engineering and phishing-led delivery. Operators steer victims to phishing sites that impersonate streaming services, cryptocurrency platforms, or other familiar brands, then redirect them to fake app stores pushing malicious APKs.

Attackers adapt lures to local contexts, including campaigns spoofing tax or government agencies in countries such as Argentina and other regions highlighted by national cyber agencies.

BTMOB impersonates an Argentine government agency(source :.welivesecurity)
BTMOB impersonates an Argentine government agency(source :.welivesecurity)

Once the victim sideloads the APK, the malware requests extensive permissions and abuses Android’s Accessibility Services to grant itself additional privileges silently.

Once installed, BTMOB establishes command-and-control channels to allow real-time remote administration of the device.

Operators can view the screen, interact with apps, harvest credentials through overlays, intercept messages, and exfiltrate files and device data.

By weaponizing Accessibility Services, BTMOB can manipulate UI elements, approve permissions, and execute actions without user interaction, while also conducting overlay attacks against banking and payment apps to steal credentials and one-time codes.

Fake app store and malicious apps (source :.welivesecurity)
Fake app store and malicious apps (source :.welivesecurity)

Some variants can download additional modules, extending capabilities based on each campaign’s goals.

Because BTMOB is sold as a builder-based MaaS platform, new payload variants can be generated quickly, enabling rapid turnover of indicators of compromise (IOCs).

Infrastructure IOCs

Domains

  • arbsniper[.]com

IP Addresses

  • 74.125.202[.]103
  • 142.251.183[.]138
  • 173.194.193[.]138
  • 173.194.206[.]106
  • 178.156.177[.]192
  • 191.101.131[.]250
  • 195.160.221[.]203
  • 104.21.64[.]137
  • 173.194.194[.]94
  • 191.96.224[.]87
  • 191.96.225[.]241
  • 191.96.78[.]172
  • 191.96.78[.]28
  • 191.96.79[.]133
  • 191.96.79[.]179
  • 191.96.79[.]41
  • 192.178.209[.]95
  • 200.9.155[.]153
  • 74.125.132[.]95
  • 78.135.93[.]123
  • 79.133.57[.]141
File Hash IOCs

SHA256 Hashes

  • 58AC130A8EBB09E37592AC69841483EDC5695D1545B1F04F23D5B760AC17CD94
  • 0A542751724A432A8448324613E0CE10393E41739A1800CBB7D5A2C648FCDC35
  • A764D73795ABE47AE640BA09999A18C47B5340E5ECC7B897AFEBF34F3F37638F
  • 26A2268281E8043125EF72B92F8980B42912048753D56894BC378FB54C7C188A
  • 6AE94CE710016D86ED7457236DEEF2C4C51478587F3609B6E827A348828B3931
  • E5A9FDFF900DD502E8F3DCE52D2D1B69AA9AFAFB5094A28F9037E8770DB0E63B
  • C6199E175FB988CBBEACDF0F5ACDF9ED83F5BDAAE5C95B7A6C27EE72CD11B0B1
  • 6BBA64FA9E8A7B11CB2476CD071DE08986DB44B0783EFF211C68FA5594EF8143
  • 5AAAF972C8BF39A98F2748E526DE3CC0370BA831997D7D9765CDABA599645C0D
  • DDCE0219923D152B8FACD303F058A6286CF1F6924992B9FB9F5BF4D96436CC39

Detection IOCs

ESET Signatures

  • Android/Agent.FQK
  • Android/TrojanDropper.Agent.NES
  • Android/Spy.Agent.EIJ
  • Android/Spy.Agent.EIK
  • Android/TrojanDropper.Agent.NDK
  • Android/Spy.Spysolr.A
  • Android/Spy.Agent.EUG
  • Android/Spy.Agent.EWN
  • Android/Spy.Agent.FFE
  • Android/Spy.Agent.FFL

Note: IP addresses and domains are intentionally defanged (e.g., [.]) to prevent accidental resolution or hyperlinking. Re-fang only within controlled threat intelligence platforms such as MISP, VirusTotal, or your SIEM.

Security vendors have observed multiple versions, including BTMOB v2.5, within short timeframes, as operators iterate on payloads and evasion techniques.

BTMOB offer on the surface web(source :.welivesecurity)
BTMOB offer on the surface web(source :.welivesecurity)

According to WeLiveSecurity by ESET in a report shared with Cyber Security News, BTMOB-related samples are detected under families such as MSIL/BtmobRat and multiple Android/Spy.Agent or Android/TrojanDropper signatures, reflecting links to earlier SpySolr-based malware.

Analysts warn that leaked or pirated copies circulating on forums could further broaden access and inspire copycat toolchains.

How Can Stay Safe

Defenders are urged to enforce strict app-sourcing policies and raise user awareness.

Organizations should mandate installation only from official stores, block sideloading where possible, and train users to treat unsolicited links and “free” streaming or crypto apps with skepticism.

Mobile security solutions with behavioral detection and accessibility-abuse monitoring can help spot BTMOB-like threats.

While enterprises should treat smartphones as high-value endpoints, they should apply the same logging, EDR-style monitoring, and incident response playbooks used for laptops and servers.

Given BTMOB’s builder-driven evolution, defenders should combine up-to-date IOCs with anomaly-based detection to keep pace with new variants.

Disclaimer: HackersRadar reports on cybersecurity threats and incidents for informational and awareness purposes only. We do not engage in hacking activities, data exfiltration, or the hosting or distribution of stolen or leaked information. All content is based on publicly available sources.

Tags:

AttackMalwarephishingSecurityThreat

Share Article

Marcus Rodriguez

Marcus Rodriguez

Marcus is a security researcher and investigative journalist with expertise in vulnerability research, bug bounties, and cloud security. Since 2017, Marcus has been breaking stories on critical vulnerabilities affecting major platforms. His investigative work has led to the disclosure of numerous security flaws and improved defenses across the industry. Marcus is an active participant in bug bounty programs and has been recognized for responsible disclosure practices. He holds multiple security certifications and regularly speaks at industry events.

No Comment! Be the first one.

Leave a Reply

Your email address will not be published. Required fields are marked *

Related Posts