BTMOB
BTMOB is an Android remote access trojan (RAT) first identified in February 2025 and described as an offshoot or evolution of SpySolr. It is marketed as a malware-as-a-service offering and sold with a no-code APK builder that allows buyers to generate malicious Android apps and customize phishing lures for different countries without programming skills. Reporting cited pricing that included a lifetime license around $5,000 plus support, while other reporting referenced subscription-style pricing and source-code sales. The malware has been promoted via open-web pages, Telegram, and social media accounts.
BTMOB is designed for broad device takeover rather than only banking fraud. Reported capabilities include remote control of infected Android devices, device unlocking, command execution, reading messages, displaying victim information, camera access, screenshot capture, screen or activity recording, keylogging, GPS tracking, file and data exfiltration, and credential theft through HTML injections or overlay-style phishing when targeted apps are opened. Later reporting also noted capture of Alipay PINs. BTMOB abuses Android Accessibility Services to obtain elevated permissions and additional system access after installation.
Observed delivery commonly relies on social engineering and phishing. Victims are directed to fake websites impersonating streaming services, cryptocurrency platforms, government or tax agencies, or counterfeit Google Play pages, and are then prompted to install malicious APKs. Campaigns were observed in Brazil and broader Latin America, including Argentina-themed lures impersonating AFIP. In May 2026, BTMOB was also distributed through apps presented as IPTV or streaming platforms offering World Cup broadcasts. Separate reporting tied BTMOB delivery to fake Google Play Store landing pages for an app named GPT Trade, sometimes alongside a persistence module referred to as UASecurity Miner.
BTMOB has also been observed as a secondary or replacement payload in other Android malware campaigns. More recent BeatBanker iterations reportedly replaced their banking module with BTMOB, enabling total device compromise, screen recording, credential exfiltration, keylogging, camera access, and GPS tracking. Some reports also noted victims infected with a separate BTMOB espionage and remote-control module.
The malware has been associated in reporting with the actor or seller EVLF (@craxso), and one report stated ESET believes BTMOB is the successor to CraxsRAT, CypherRAT, and SpySolr. Additional reporting noted claims of leaked BTMOB-related files or a leaked development toolkit in late 2025 to early 2026, including references to payload source code, builder components, operator panel, and backend elements, raising concern about wider underground adoption.
Known indicators and detections mentioned in the content include detection names such as MSIL/BtmobRat, Android/Spy.Agent.EED, Android/Spy.Agent.EIJ, Android/Spy.Agent.EIK, Android/Agent.FQK, Android/TrojanDropper.Agent.NES, Android/TrojanDropper.Agent.NDK, Android/TrojanDropper.Agent.NBO, Android/Spy.Spysolr.A, Android/Spy.Agent.EUG, Android/Spy.Agent.EWN, Android/Spy.Agent.FFE, and Android/Spy.Agent.FFL. Reported infrastructure and sample indicators include the domain arbsniper.com; IPs 178.156.177.192, 191.101.131.250, and 195.160.221.203; and SHA-256 hashes 58AC130A8EBB09E37592AC69841483EDC5695D1545B1F04F23D5B760AC17CD94 and 0A542751724A432A8448324613E0CE10393E41739A1800CBB7D5A2C648FCDC35.
Hunt this family in your stack
Mallory pivots from this family to the IOCs, detections, and named campaigns that touch your stack, and pages you when something new lands.
Groups observed using it
2 distinct threat actors attributed by public researchers. Open in Mallory to see the full evidence chain and overlapping campaigns.
The disclosure coincides with a report from ESET about BTMOB, an Android remote access trojan (RAT) that first emerged in February 2025 with capabilities to unlock devices, capture screenshots, log keystrokes, automate credential theft through HTML injections when certain apps are opened, and enable remote control.
Besides PhantomCard, "Go1ano developer" also claims to be the "trusted partner" of BTMOB, GhostSpy spyware families in Brazil.
Techniques & procedures
17 distinct techniques documented for this family, organized by ATT&CK tactic.
Initial Access
3 techniques
Initial Access
That site redirects victims to a fake app store that looks like Google Play and prompts them to install an APK.
Execution
2 techniques
Execution
Persistence
1 technique
Persistence
Privilege Escalation
2 techniques
Privilege Escalation
Stealth
1 technique
Stealth
The infection starts with a phishing message pointing victims to a fake website impersonating a streaming service, a crypto mining platform... That site redirects victims to a fake app store that looks like Google Play... Researchers have already observed campaigns in Argentina impersonating the country’s tax and customs authority, AFIP.
Credential Access
2 techniques
Credential Access
Collection
5 techniques
Collection
These include the ability to exfiltrate a range of sensitive data, capture screenshots, record activity on the device, and ultimately take remote control of it.
BTMOB gives adversaries broader options: exfiltrate a range of sensitive data, capture screenshots and record activity on the device, and ultimately take remote control of it.
BTMOB, an Android remote access trojan (RAT) that first emerged in February 2025 with capabilities to unlock devices, capture screenshots, log keystrokes
Command and Control
3 techniques
Command and Control
Once installed, BTMOB establishes command-and-control channels to allow real-time remote administration of the device.
Some variants can download additional modules, extending capabilities based on each campaign’s goals.
Intel 471 highlighted activity involving BTMOB, an Android remote access trojan offered through a malware-as-a-service model. The malware was promoted as compatible with Android versions 12 through 16 and included capabilities such as reading messages, executing commands, displaying victim information and accessing device cameras.
IOCs tracked for this family
62 indicators attributed across vendor reports, sandbox runs, and researcher write-ups. Full values are available in Mallory.
IPs, domains, and DNS infrastructure linked to this family.
File hashes (MD5, SHA-1, SHA-256) from samples and reports.
Recent activity
15 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.
Android remote access trojan offered via a malware-as-a-service model. It can read messages, execute commands, display victim information, and access device cameras, and was distributed through fake IPTV/streaming apps themed around World Cup broadcasts.
Android remote access malware sold as a malware-as-a-service kit with a built-in APK builder. It enables full-device takeover, exfiltrates sensitive data, captures screenshots, records device activity, abuses Android Accessibility Services for elevated permissions, and allows attackers to remotely control infected devices.
An Android remote access Trojan distributed via a malware-as-a-service model with a no-code APK builder. It enables attackers to create malicious banking apps and supports sensitive data exfiltration, screenshot capture, activity recording, abuse of Android Accessibility Services, and full remote control of infected devices.
Android remote access trojan sold as malware-as-a-service. It spreads via phishing and fake app sites, abuses Android accessibility services, enables remote control, screenshot capture, keylogging, device unlocking, and credential theft through HTML injections, including capture of Alipay PINs.
The version that knows your environment.
Match every observed IP, domain, and hash against your live telemetry.
Named campaigns wielding this family, with evidence pinned to each claim.
CVEs this family uses for access and lateral movement.
YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.
Every documented technique, ranked by evidence weight.
Reddit, Mastodon, and CTI community discussion around this family.