Malware

BTMOB Android RAT poses significant threat with easy-to-use builder

As reported by ESET's We Live Security, BTMOB is an Android remote access trojan (RAT) that, while not detected in high volumes, presents a significant threat due to its capabilities and ease of use. Its combination of phishing-based delivery, a user-friendly app-building tool, and comprehensive device control features makes it a concern for users globally, extending beyond its initial focus on Brazil and Latin America.

First identified in February 2025, BTMOB evolved from the SpySolr malware. Unlike typical banking trojans, BTMOB offers adversaries a wider range of malicious actions, including data exfiltration, screen capture, activity recording, and complete remote device control. A key feature is its APK builder interface, which allows users to create new malicious payloads and adapt phishing lures for different regions without needing to write any code. Distribution typically begins with social engineering tactics, leading victims to phishing websites that mimic legitimate services. From there, users are directed to fake app stores to download a malicious APK.

BTMOB abuses Android Accessibility Services to gain elevated permissions and further system access. Marketed as a malware-as-a-service (MaaS), BTMOB is sold with a lifetime license and monthly support, lowering the barrier for entry for less sophisticated attackers. This model also risks the tool moving into secondary markets, increasing its accessibility. The rapid generation of new variants means defenders face a constantly evolving threat landscape, with ESET products detecting it under various names like MSIL/BtmobRat and Android/Spy.Agent.EED.

Source: We Live Security

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms of Use and Privacy Policy.

Related Terms

Adware

You can skip this ad in 5 seconds