ProBackend
android malware threats
1 hour ago8 min read

No-Code Android RAT Lets Cybercriminals Build Custom Phishing Payloads for Device Takeover

BTMOB is a malware-as-a-service Android remote access trojan evolved from the SpySolr family, sold with an APK builder that lets buyers generate custom payloads and localized phishing lures without coding. Priced at $5,000 for a lifetime license plus monthly support, the RAT abuses Android Accessibility Services to escalate privileges and exfiltrate data, capture screenshots, record audio, and take full remote control of infected devices. First documented by Cyble in February 2025 and analyzed extensively by ESET in May 2026, BTMOB is primarily active across Brazil and Latin America but poses a growing regional threat.

What BTMOB Actually Is

Here's the thing most threat briefings skip: BTMOB isn't a new trojan. It's an evolution of the SpySolr family, repackaged as a commercial service with a builder interface that strips away every barrier between the malware author and the end user. You don't need to write code. You don't need a compiler. You pick permissions, choose behaviors, and the platform spits out an APK ready to drop on a victim's phone.

ESET researcher Daniel Cunha Barbosa documented the current iteration in May 2026, but Cyble's CRIL team first flagged BTMOB v2.5 back in February 2025 — roughly a dozen new samples appearing across a two-week window, which tells you the operator was shipping actively. ANYRUN had already analyzed early samples by that point. This isn't a hobbyist project. It's a maintained, evolving product.

The distinction matters because most Android RATs you'll read about are banking-focused — they siphon credentials and move on. BTMOB goes further. It's a full device takeover platform with live screen sharing, keylogging, audio recording, file exfiltration, and JavaScript-based web injection. That's not a credential stealer. That's a remote control panel with a phone attached.

And it's sold openly on the clear web. There's a promotional landing page that links directly to private Telegram channels where transactions happen. No dark web obfuscation. No invitation-only forums. Just a storefront and a price tag.

For context on how Android trojans continue to evolve toward full device control, see our analysis of the Rokarolla Android Trojan, which combines banking fraud with surveillance capabilities through similar distribution vectors.

The APK Builder — No Code Required

The builder interface is where BTMOB separates itself from the typical MaaS offerings. Buyers get a GUI where they select which permissions the APK requests at install time — standard Android permission dialogs, nothing exotic. Then they define runtime behaviors: disable Google Play so the victim can't uninstall through normal channels, hide the app icon from the launcher, prevent the device from entering sleep mode so the malware stays active.

ESET's reporting makes clear that this customization extends to the phishing lures themselves. "Once someone purchases the malicious kit, they can adapt its features, including the phishing lures so they impersonate the brand or agency most likely to lure victims in any given country," the researchers wrote. That's not a minor feature. It means a single operator can run parallel campaigns targeting Brazil with one lure set and Argentina with another, all from the same panel.

I've seen what this kind of builder does to detection timelines. Static signatures chase the APK hash. But when every buyer generates a unique payload with different permission combinations and embedded lure content, the hash space explodes. You're not hunting one malware family anymore — you're hunting thousands of variants that all share the same C2 logic but look completely different on disk. That's why single-layered AV defenses keep missing this stuff.

Pricing and the Telegram Sales Model

The economics are almost insulting in their simplicity. ESET reports two tiers: a $700 monthly subscription, or a $5,000 lifetime license with ongoing support at roughly $300 per month on top. Cyble's analysis puts the monthly figure in that range as well. Against the proceeds of a successful fraud operation — and we're talking full device compromise with access to banking apps, messaging credentials, and personal data — that's pocket change.

Sales happen in private Telegram channels. The clear-web promotional page exists purely for discovery — it's the equivalent of a business card at a networking event. You find the page, you join the channel, you transact. There's also promotion through X and Instagram accounts, which is unusual for this tier of operation but makes sense if your target audience is mobile-savvy criminals who already live on those platforms.

There was a notable incident in January 2026 when a dark web forum briefly offered BTMOB files for free download before the listing went offline. ESET noted this as evidence of secondary market risk — once the binary circulates outside the operator's control, you lose visibility into which variants are in the wild and who's running them. Free copies don't get support, but they do get shared.

The lifetime license model is worth paying attention to. It means an operator pays once and gets indefinite access, including whatever updates the developer pushes. That's a different risk profile than monthly subscriptions, where churn naturally limits the attacker's window.

How Victims Actually Get Infected

BTMOB spreads through phishing websites that impersonate legitimate services. ESET and Cyble have documented campaigns targeting streaming platforms — one sample, lnat-tv-pro.apk, was distributed through a portal mimicking iNat TV in Turkey (the domain tvipguncelpro[.]com). Other campaigns impersonate cryptocurrency mining platforms and fake Google Play stores.

The flow is consistent: victim lands on a phishing page, gets redirected to a portal that looks like Google Play, and is prompted to download a fake app. The APK installs, requests permissions through the standard Android dialog, and the builder-configured behaviors kick in.

Researchers Johnk3r and Merl identified campaigns specifically targeting Argentina, where the lures impersonated government tax and customs authorities. That's a high-trust vector — people expect official communications from revenue agencies, and the urgency of a tax notice overrides normal caution. Combined with the builder's ability to localize lures per campaign, you've got a system designed for geographic precision.

The primary theater of operations remains Brazil and Latin America, but the architecture doesn't prevent expansion. The builder handles localization. The Telegram sales model handles distribution to new operators in different regions. There's nothing in the current design that locks this to a single geography.

Technical Architecture and C2 Communication

Once installed, BTMOB abuses Android Accessibility Services to escalate privileges. This is the critical technical detail that makes the malware particularly dangerous: Accessibility Services are designed to help users with disabilities interact with their devices, but they grant the hosting app the ability to observe and interact with all other UI elements on screen. BTMOB leverages this to gain elevated permissions without triggering additional user prompts.

The command-and-control layer uses WebSocket-based communication. Cyble identified the C2 endpoint at hxxp://server[.]yaarsa.com/con, running version BT-v2.5 of the protocol. ESET cataloged 16 server-side commands across the observed samples:

  • optns — options/configuration retrieval
  • fetch — data extraction requests
  • brows — browser session control
  • lock — device locking with custom PIN
  • ject — JavaScript injection into web views
  • file — file system operations
  • clip — clipboard monitoring and exfiltration
  • chat — messaging app interception
  • wrk — workspace/process management
  • srh — search functionality across device data
  • mic — audio recording activation
  • add — additional module installation
  • bc — broadcast commands to multiple infected devices
  • upload — file upload to C2
  • screen — live screen capture
  • scread — screen reading (likely OCR or content extraction)

That last command, scread, is particularly interesting. It suggests the malware can extract textual content from what's displayed on screen — effectively reading your banking app, your messaging apps, your email — without needing to hook into those apps directly. The Accessibility Services abuse makes this possible.

The WebSocket approach means persistent, low-latency communication that's harder to detect than periodic HTTP polling. And the 16-command surface area tells you this is a mature codebase — operators aren't asking for features they haven't built yet. They're using what's there.

Detection Landscape and Indicators

ESET assigns multiple detection names to BTMOB variants: MSIL/BtmobRat for the primary tooling, plus Android/Spy.Agent.EED, Android/Spy.Agent.EIJ, and Android/Spy.Agent.EIK for the Android payloads themselves. Additional detections include Android/Agent.FQK, Android/TrojanDropper.Agent.NES, and the legacy Android/Spy.Spysolr.A classification that reflects its lineage.

The rapid mutation cycle ESET describes is the core detection challenge. New samples appear frequently, each with different hashes and slightly different permission profiles, but they share recurring infrastructure patterns. Cyble's observation of ~15 samples in a two-week window at v2.5 suggests the operator was pushing updates regularly during that period.

For defenders, the recurring infrastructure is the anchor. The yaarsa.com C2 domain, the WebSocket protocol structure, and the Accessibility Services abuse pattern are consistent across variants. Hash-based detection will always be a game of catch-up, but behavioral indicators — an app requesting Accessibility Services and then silently establishing WebSocket connections to external hosts — are harder to evade.

The keylogging capability combined with the scread function means that even if you don't catch the initial install, the post-compromise telemetry can reveal the presence of BTMOB on a device through anomalous network patterns and unexpected Accessibility Services usage.

What Defenders Should Actually Do

The recommendations from ESET and BleepingComputer are standard mobile hygiene, but they're worth stating explicitly because people treat their phones differently than their computers.

Install apps only from the official Google Play Store. I know this sounds obvious, but the phishing campaigns work precisely because they mimic Google Play's interface closely enough to bypass casual scrutiny. If you see an APK download prompt on a website — any website other than Play Store — that's your red line.

Run Play Protect scans regularly. It won't catch every variant, but it adds a layer that the builder's rapid mutation cycle hasn't fully overcome yet.

Audit your Accessibility Services permissions. This is the single most impactful action a user can take. If an app you installed doesn't explicitly need Accessibility Services — and most apps don't — revoke that permission. BTMOB's entire privilege escalation chain depends on this access.

Treat unsolicited links with the same suspicion you'd give an email attachment. The phishing portals for BTMOB operate through links shared via messaging apps, social media, and email. If you didn't initiate the download, don't install it.

From a detection standpoint, monitor for Accessibility Services abuse patterns and WebSocket connections from unexpected Android packages. The behavioral signal is stronger than the hash signal for this family, and that's where your detection effort should focus.

Related Android malware campaigns:

More engineering analysis and backend guidance from ProBackend.
More blogs