Back

BTMOB Android RAT Enables Remote Control of Devices via Phishing Campaigns

Severity: High (Score: 71.0)

Sources: Cybersecuritynews, Infosecurity-Magazine, Gbhackers

Published: 2026-05-27 · Updated: 2026-05-27

Keywords: android, btmob, malware, through, observed, remote, access

Severity indicators: ot, malware

Summary

The BTMOB Android remote access trojan (RAT) has been identified as a significant threat, allowing cybercriminals to remotely control infected devices. First documented in February 2025, BTMOB utilizes a malware-as-a-service (MaaS) model, enabling even low-skilled attackers to deploy sophisticated phishing campaigns. The RAT is distributed through phishing sites masquerading as popular services, leading victims to install malicious APKs. Once installed, BTMOB exploits Android's Accessibility Services to gain extensive permissions, facilitating data exfiltration, screen capture, and device control. ESET researchers noted that BTMOB's commercial packaging lowers barriers for entry into cybercrime, with a reported $5,000 lifetime license. The malware has already been adapted to impersonate local institutions in various countries, including Argentina. As variants can be rapidly generated, defenders are advised to remain vigilant and implement robust mobile security measures. Key Points: • BTMOB is a powerful Android RAT enabling remote control of infected devices. • The malware is distributed via phishing campaigns targeting users in Brazil and beyond. • Its MaaS model allows low-skilled attackers to create custom payloads without coding.

Detailed Analysis

**Impact** BTMOB targets Android users primarily in Brazil, Argentina, and other countries, affecting both individual and corporate devices. The malware enables full device takeover, risking exfiltration of sensitive data, screenshots, and on-device activity recordings. Financial sectors and users of streaming and crypto-mining platforms are specifically impersonated in phishing campaigns, potentially exposing business-critical information and personal credentials. The MaaS model lowers the entry barrier for criminals, increasing the scale and frequency of infections globally. **Technical Details** BTMOB is delivered via phishing campaigns directing victims to fake app stores hosting malicious APKs. It abuses Android Accessibility Services to escalate privileges without user interaction. The malware includes a no-code APK builder for customized payloads and phishing lures tailored by geography. It evolved from the SpySolr family and operates under a MaaS model with command and control infrastructure promoted via Telegram, X, and Instagram. No CVEs or specific IOCs were disclosed in the articles. **Recommended Response** Users should install Android apps exclusively from official app stores and treat unsolicited links with suspicion. Deploy mobile security solutions with capabilities to detect unauthorized use of Accessibility Services and monitor for suspicious APK installations. Corporate security teams must enforce strict mobile device policies and educate employees on phishing risks. Monitor for rapid payload changes and phishing sites impersonating local institutions. No specific patches or CVEs were mentioned for immediate application.

Source articles (3)

  • BTMOB Android RAT Spreads Through No — Infosecurity-Magazine · 2026-05-26
    An Android remote access trojan (RAT) that lets buyers build their own custom payloads without writing a line of code has been observed spreading through phishing campaigns across Brazil and beyond. A…
  • BTMOB Malware Allows Cybercriminals to Remotely Hijack Android Phones — Gbhackers · 2026-05-27
    A newly observed Android malware strain, known as BTMOB, is raising concerns among cybersecurity researchers due to its powerful remote access capabilities and ease of deployment. Initially identified…
  • New BTMOB Malware Lets Attackers Remotely Control Android Devices — Cybersecuritynews · 2026-05-27
    New Android malware dubbed BTMOB is arming even low-skilled attackers with full remote control over infected phones by combining a powerful RAT engine with a no-code campaign builder toolkit. The thre…

Timeline

  • 2025-02-01 — BTMOB first documented: ESET researchers identified BTMOB as a new Android RAT with extensive capabilities.
  • 2026-01-01 — Free BTMOB files advertised on dark web: A dark web forum briefly offered BTMOB files for free, highlighting its potential for rapid distribution.
  • 2026-05-26 — ESET warns about BTMOB's spread: ESET released a report detailing BTMOB's phishing distribution methods and capabilities.
  • 2026-05-27 — Gbhackers reports on BTMOB's capabilities: Gbhackers highlighted BTMOB's ability to hijack Android phones and its ease of deployment.
  • 2026-05-27 — Cybersecuritynews covers BTMOB's evolution: Cybersecuritynews reported on BTMOB's rapid evolution and its implications for cybersecurity.

Related entities

  • Malware (Attack Type)
  • Phishing (Attack Type)
  • Btmob (Malware)
  • T1566 - Phishing (Mitre Attack)
  • Android (Platform)
Loading threat details...

Threat Not Found

The threat cluster you're looking for doesn't exist or has been removed.

Return to Feed