A stealthy RAT burrowing deep into Android units

The malware pairs distant entry capabilities with ready-made marketing campaign instruments, decreasing the barrier for full machine compromise

26 Could 2026
 • 
,
6 min. learn

Our current overview of risk detections in Brazil surfaced BTMOB, an Android distant entry trojan (RAT) that’s much less notable for detection quantity than for the harm it could wreak. The mix of phishing-led supply, ready-made app-building tooling and machine takeover capabilities makes BTMOB a risk to look at properly past Brazil or Latin America.

BTMOB at a look

First described in February 2025, BTMOB has developed from the SpySolr malware. Not like banking trojans, which “solely” goal to steal folks’s monetary credentials or intercept their monetary transactions, BTMOB offers adversaries broader choices: exfiltrate a variety of delicate information, seize screenshots and document exercise on the machine, and finally take distant management of it. The RAT can also be offered with an APK builder interface, permitting anybody to generate new payloads and adapt phishing lures for particular areas at a speedy clip – and with out writing any code.

How does BTMOB unfold?

Unsurprisingly, the whole lot begins with peculiar social engineering. Operators ship victims to phishing web sites that pose as streaming companies, cryptocurrency mining platforms or different acquainted on-line companies. From there, victims are pushed towards faux app shops that mimic respectable repositories and immediate them to put in a malicious APK. Unhealthy actors have additionally been noticed tailoring their lures to particular areas.

As soon as put in, BTMOB seeks in depth entry to the machine. As is widespread today, it abuses Android Accessibility Companies to realize elevated permissions and grant itself additional system entry with out extra person interplay.

Because it’s constructed for the malware-as-a-service (MaaS) financial system, BTMOB is marketed as a software program product, together with by way of a promotional web page on the open internet that funnels potential consumers to a Telegram operator. The gross sales pipeline extends throughout social media platforms, with plenty of accounts on X and Instagram actively peddling the instrument. 

As soon as somebody purchases the malicious equipment, they’ll adapt its options, together with the phishing lures so that they impersonate the model or company most probably to lure victims in any given nation. For instance, researchers Johnk3r and Merl just lately noticed campaigns that unfold BTMOB whereas impersonating Argentina’s tax and customs authorities.

Market dynamics and detection challenges

Even the place builders initially prohibit the instrument to paying clients, the economics stay favorable for attackers. A reported $5,000 lifetime license plus a month-to-month assist payment is low in contrast with the returns a profitable fraud operation can generate.

As well as, the MaaS mannequin additionally lowers the barrier for much less refined adversaries. In January 2026, a darkish internet discussion board claimed to supply BTMOB-related recordsdata without cost obtain. The discussion board later went offline, and our search didn’t recuperate the payload(s), however the episode factors to a well-known danger with industrial malware: entry not often stays contained perpetually and the instrument can transfer into secondary markets by way of resale, barter or sharing inside closed teams. Competing malware households may copy some components that make payload customization and marketing campaign administration simpler for much less expert criminals.

As new variants could be generated shortly, defenders ought to anticipate speedy payload turnover relatively than a secure set of threats. ESET merchandise detect the first instrument as MSIL/BtmobRat, whereas associated Android variants set off detections reminiscent of Android/Spy.Agent.EED, Android/Spy.Agent.EIJ and Android/Spy.Agent.EIK. Cyble’s report from February 2025 famous that roughly 15 samples of BTMOB v2.5 had been noticed since late January of that yr, i.e., in a mere two or so weeks.

shield your self

A number of primary suggestions will go a great distance towards staying protected from BTMOB and different Android malware:

• Follow the official app retailer: Attackers depend on faux app shops that mimic Google Play. Organizations ought to mandate that customers obtain software program completely from official repositories.
• Deal with hyperlinks with suspicion: Be skeptical of unsolicited hyperlinks delivered by way of e mail, messaging apps, social media, and focused ads.
• Use safety software program: Each people and organizations ought to use cellular safety options and deal with cellular units with the identical rigor as different machines and environments. Company safety groups should make it clear to staff {that a} single rogue obtain might exposes the corporate’s crown jewels.

Indicators of compromise

As a result of BTMOB ‘mutates’ shortly, many indicators could age quickly. However, particular infrastructure patterns typically recur throughout totally different samples and support in triage. 

IP addresses

Hashes – SHA256

ESET detection names