BTMOB: A stealthy RAT burrowing deep into Android devices

The malware pairs remote access capabilities with ready-made campaign tools, lowering the barrier for full device compromise

Daniel Cunha Barbosa

26 May 2026
 • 
,
6 min. read

Our recent review of threat detections in Brazil surfaced BTMOB, an Android remote access trojan (RAT) that is less notable for detection volume than for the damage it can wreak. The combination of phishing-led delivery, ready-made app-building tooling and device takeover capabilities makes BTMOB a threat to watch well beyond Brazil or Latin America.

BTMOB at a glance

First described in February 2025, BTMOB has evolved from the SpySolr malware. Unlike banking trojans, which “only” aim to steal people’s financial credentials or intercept their financial transactions, BTMOB gives adversaries broader options: exfiltrate a range of sensitive data, capture screenshots and record activity on the device, and ultimately take remote control of it. The RAT is also sold with an APK builder interface, allowing anyone to generate new payloads and adapt phishing lures for specific regions at a rapid clip – and without writing any code.

How does BTMOB spread?

Unsurprisingly, everything starts with ordinary social engineering. Operators send victims to phishing websites that pose as streaming services, cryptocurrency mining platforms or other familiar online services. From there, victims are pushed toward fake app stores that mimic legitimate repositories and prompt them to install a malicious APK. Bad actors have also been spotted tailoring their lures to specific regions.

Once installed, BTMOB seeks extensive access to the device. As is common these days, it abuses Android Accessibility Services to gain elevated permissions and grant itself further system access without additional user interaction.

Since it’s built for the malware-as-a-service (MaaS) economy, BTMOB is marketed as a software product, including through a promotional page on the open web that funnels prospective buyers to a Telegram operator. The sales pipeline extends across social media platforms, with a number of accounts on X and Instagram actively peddling the tool. 

Once someone purchases the malicious kit, they can adapt its features, including the phishing lures so they impersonate the brand or agency most likely to lure victims in any given country. For example, researchers Johnk3r and Merl recently spotted campaigns that spread BTMOB while impersonating Argentina’s tax and customs authorities.

Market dynamics and detection challenges

Even where developers initially restrict the tool to paying customers, the economics remain favorable for attackers. A reported $5,000 lifetime license plus a monthly support fee is low compared with the returns a successful fraud operation can generate.

In addition, the MaaS model also lowers the barrier for less sophisticated adversaries. In January 2026, a dark web forum claimed to offer BTMOB-related files for free download. The forum later went offline, and our search didn’t recover the payload(s), but the episode points to a familiar risk with commercial malware: access rarely stays contained forever and the tool can move into secondary markets through resale, barter or sharing inside closed groups. Competing malware families can also copy some elements that make payload customization and campaign management easier for less skilled criminals.

As new variants can be generated quickly, defenders should expect rapid payload turnover rather than a stable set of threats. ESET products detect the primary tool as MSIL/BtmobRat, while related Android variants trigger detections such as Android/Spy.Agent.EED, Android/Spy.Agent.EIJ and Android/Spy.Agent.EIK. Cyble’s report from February 2025 noted that roughly 15 samples of BTMOB v2.5 had been spotted since late January of that year, i.e., in a mere two or so weeks.

How to protect yourself

A few basic tips will go a long way toward staying safe from BTMOB and other Android malware:

• Stick to the official app store: Attackers rely on fake app stores that mimic Google Play. Organizations should mandate that users download software exclusively from official repositories.
• Treat links with suspicion: Be skeptical of unsolicited links delivered via email, messaging apps, social media, and targeted advertisements.
• Use security software: Both individuals and organizations should use mobile security solutions and treat mobile devices with the same rigor as other machines and environments. Corporate security teams must make it clear to employees that a single rogue download could exposes the company’s crown jewels.

Indicators of compromise

Because BTMOB ‘mutates’ quickly, many indicators may age rapidly. Nevertheless, specific infrastructure patterns often recur across different samples and aid in triage. 

IP addresses

Hashes – SHA256

ESET detection names