A stealthy RAT burrowing deep into Android units

The malware pairs distant entry capabilities with ready-made marketing campaign instruments, decreasing the barrier for full machine compromise

26 Might 2026
 • 
,
6 min. learn

Our current evaluate of menace detections in Brazil surfaced BTMOB, an Android distant entry trojan (RAT) that’s much less notable for detection quantity than for the harm it will probably wreak. The mixture of phishing-led supply, ready-made app-building tooling and machine takeover capabilities makes BTMOB a menace to observe nicely past Brazil or Latin America.

BTMOB at a look

First described in February 2025, BTMOB has developed from the SpySolr malware. Not like banking trojans, which “solely” purpose to steal individuals’s monetary credentials or intercept their monetary transactions, BTMOB offers adversaries broader choices: exfiltrate a variety of delicate information, seize screenshots and document exercise on the machine, and in the end take distant management of it. The RAT can also be bought with an APK builder interface, permitting anybody to generate new payloads and adapt phishing lures for particular areas at a fast clip – and with out writing any code.

How does BTMOB unfold?

Unsurprisingly, all the things begins with bizarre social engineering. Operators ship victims to phishing web sites that pose as streaming providers, cryptocurrency mining platforms or different acquainted on-line providers. From there, victims are pushed towards faux app shops that mimic official repositories and immediate them to put in a malicious APK. Unhealthy actors have additionally been noticed tailoring their lures to particular areas.

As soon as put in, BTMOB seeks intensive entry to the machine. As is widespread lately, it abuses Android Accessibility Companies to achieve elevated permissions and grant itself additional system entry with out extra consumer interplay.

Because it’s constructed for the malware-as-a-service (MaaS) financial system, BTMOB is marketed as a software program product, together with by a promotional web page on the open net that funnels potential consumers to a Telegram operator. The gross sales pipeline extends throughout social media platforms, with various accounts on X and Instagram actively peddling the device. 

As soon as somebody purchases the malicious package, they will adapt its options, together with the phishing lures so that they impersonate the model or company most definitely to lure victims in any given nation. For instance, researchers Johnk3r and Merl lately noticed campaigns that unfold BTMOB whereas impersonating Argentina’s tax and customs authorities.

Market dynamics and detection challenges

Even the place builders initially prohibit the device to paying clients, the economics stay favorable for attackers. A reported $5,000 lifetime license plus a month-to-month help price is low in contrast with the returns a profitable fraud operation can generate.

As well as, the MaaS mannequin additionally lowers the barrier for much less refined adversaries. In January 2026, a darkish net discussion board claimed to supply BTMOB-related information without spending a dime obtain. The discussion board later went offline, and our search didn’t recuperate the payload(s), however the episode factors to a well-known danger with business malware: entry hardly ever stays contained perpetually and the device can transfer into secondary markets by resale, barter or sharing inside closed teams. Competing malware households also can copy some components that make payload customization and marketing campaign administration simpler for much less expert criminals.

As new variants might be generated shortly, defenders ought to anticipate fast payload turnover somewhat than a secure set of threats. ESET merchandise detect the first device as MSIL/BtmobRat, whereas associated Android variants set off detections corresponding to Android/Spy.Agent.EED, Android/Spy.Agent.EIJ and Android/Spy.Agent.EIK. Cyble’s report from February 2025 famous that roughly 15 samples of BTMOB v2.5 had been noticed since late January of that yr, i.e., in a mere two or so weeks.

Learn how to shield your self

Just a few primary ideas will go a great distance towards staying protected from BTMOB and different Android malware:

• Persist with the official app retailer: Attackers depend on faux app shops that mimic Google Play. Organizations ought to mandate that customers obtain software program completely from official repositories.
• Deal with hyperlinks with suspicion: Be skeptical of unsolicited hyperlinks delivered by way of e mail, messaging apps, social media, and focused commercials.
• Use safety software program: Each people and organizations ought to use cell safety options and deal with cell units with the identical rigor as different machines and environments. Company safety groups should make it clear to workers {that a} single rogue obtain might exposes the corporate’s crown jewels.

Indicators of compromise

As a result of BTMOB ‘mutates’ shortly, many indicators could age quickly. However, particular infrastructure patterns typically recur throughout totally different samples and assist in triage. 

IP addresses

Hashes – SHA256

ESET detection names