A stealthy RAT burrowing deep into Android units

The malware pairs distant entry capabilities with ready-made marketing campaign instruments, reducing the barrier for full gadget compromise

26 Could 2026
 • 
,
6 min. learn

Our latest evaluation of risk detections in Brazil surfaced BTMOB, an Android distant entry trojan (RAT) that’s much less notable for detection quantity than for the harm it will probably wreak. The mix of phishing-led supply, ready-made app-building tooling and gadget takeover capabilities makes BTMOB a risk to observe nicely past Brazil or Latin America.

BTMOB at a look

First described in February 2025, BTMOB has advanced from the SpySolr malware. In contrast to banking trojans, which “solely” purpose to steal individuals’s monetary credentials or intercept their monetary transactions, BTMOB provides adversaries broader choices: exfiltrate a spread of delicate information, seize screenshots and file exercise on the gadget, and finally take distant management of it. The RAT can be bought with an APK builder interface, permitting anybody to generate new payloads and adapt phishing lures for particular areas at a speedy clip – and with out writing any code.

How does BTMOB unfold?

Unsurprisingly, all the things begins with strange social engineering. Operators ship victims to phishing web sites that pose as streaming companies, cryptocurrency mining platforms or different acquainted on-line companies. From there, victims are pushed towards faux app shops that mimic authentic repositories and immediate them to put in a malicious APK. Dangerous actors have additionally been noticed tailoring their lures to particular areas.

As soon as put in, BTMOB seeks in depth entry to the gadget. As is frequent nowadays, it abuses Android Accessibility Companies to realize elevated permissions and grant itself additional system entry with out further consumer interplay.

Because it’s constructed for the malware-as-a-service (MaaS) economic system, BTMOB is marketed as a software program product, together with via a promotional web page on the open internet that funnels potential consumers to a Telegram operator. The gross sales pipeline extends throughout social media platforms, with a variety of accounts on X and Instagram actively peddling the instrument. 

As soon as somebody purchases the malicious package, they will adapt its options, together with the phishing lures in order that they impersonate the model or company most probably to lure victims in any given nation. For instance, researchers Johnk3r and Merl lately noticed campaigns that unfold BTMOB whereas impersonating Argentina’s tax and customs authorities.

Market dynamics and detection challenges

Even the place builders initially prohibit the instrument to paying clients, the economics stay favorable for attackers. A reported $5,000 lifetime license plus a month-to-month help price is low in contrast with the returns a profitable fraud operation can generate.

As well as, the MaaS mannequin additionally lowers the barrier for much less refined adversaries. In January 2026, a darkish internet discussion board claimed to supply BTMOB-related recordsdata without spending a dime obtain. The discussion board later went offline, and our search didn’t get well the payload(s), however the episode factors to a well-recognized threat with business malware: entry not often stays contained eternally and the instrument can transfer into secondary markets via resale, barter or sharing inside closed teams. Competing malware households can even copy some parts that make payload customization and marketing campaign administration simpler for much less expert criminals.

As new variants could be generated rapidly, defenders ought to count on speedy payload turnover moderately than a secure set of threats. ESET merchandise detect the first instrument as MSIL/BtmobRat, whereas associated Android variants set off detections resembling Android/Spy.Agent.EED, Android/Spy.Agent.EIJ and Android/Spy.Agent.EIK. Cyble’s report from February 2025 famous that roughly 15 samples of BTMOB v2.5 had been noticed since late January of that 12 months, i.e., in a mere two or so weeks.

The best way to shield your self

Just a few primary ideas will go a good distance towards staying protected from BTMOB and different Android malware:

• Follow the official app retailer: Attackers depend on faux app shops that mimic Google Play. Organizations ought to mandate that customers obtain software program completely from official repositories.
• Deal with hyperlinks with suspicion: Be skeptical of unsolicited hyperlinks delivered through e-mail, messaging apps, social media, and focused commercials.
• Use safety software program: Each people and organizations ought to use cellular safety options and deal with cellular units with the identical rigor as different machines and environments. Company safety groups should make it clear to workers {that a} single rogue obtain might exposes the corporate’s crown jewels.

Indicators of compromise

As a result of BTMOB ‘mutates’ rapidly, many indicators could age quickly. However, particular infrastructure patterns usually recur throughout totally different samples and assist in triage. 

IP addresses

Hashes – SHA256

ESET detection names