New BTMOB Malware Lets Attackers Remotely Control Android Devices
Cybersecurity NewsArchived May 27, 2026✓ Full text saved
New Android malware dubbed BTMOB is arming even low-skilled attackers with full remote control over infected phones by combining a powerful RAT engine with a no-code campaign builder toolkit. The threat, first seen in 2025, is now evolving rapidly through a malware-as-a-service (MaaS) model and active phishing campaigns worldwide. BTMOB is an Android remote access […] The post New BTMOB Malware Lets Attackers Remotely Control Android Devices appeared first on Cyber Security News .
Full text archived locally
✦ AI Summary· Claude Sonnet
HomeAndroid
New BTMOB Malware Lets Attackers Remotely Control Android Devices
By Abinaya
May 27, 2026
New Android malware dubbed BTMOB is arming even low-skilled attackers with full remote control over infected phones by combining a powerful RAT engine with a no-code campaign builder toolkit.
The threat, first seen in 2025, is now evolving rapidly through a malware-as-a-service (MaaS) model and active phishing campaigns worldwide.
BTMOB is an Android remote access trojan (RAT) that evolved from the SpySolr family and was first documented in early 2025.
Unlike classic banking trojans focused only on financial data, BTMOB is designed for full device surveillance and control.
BTMOB APK creation tool (source :.welivesecurity)
The malware can exfiltrate a wide range of sensitive data, capture screenshots, record on-device activity, and give operators persistent remote access to the compromised phone.
Researchers note that its capabilities rival those of desktop-grade RATs, making it a high-impact threat to both consumers and enterprises.
A key feature that sets BTMOB apart is its commercial packaging as a MaaS product with an integrated APK builder.
Buyers can generate new malicious APK payloads and customize phishing lures for specific countries without writing any code, drastically lowering the barrier to entry.
The tool is marketed via a promotional page on the open web that funnels buyers to Telegram, along with seller accounts on social platforms like X and Instagram.
X profile linked to the malware(source :.welivesecurity)
Reports indicate lifetime licenses around 5,000 USD, a relatively low cost compared to the potential fraud profits a successful campaign can generate.
BTMOB Malware Hijacks Android Devices
BTMOB relies heavily on social engineering and phishing-led delivery. Operators steer victims to phishing sites that impersonate streaming services, cryptocurrency platforms, or other familiar brands, then redirect them to fake app stores pushing malicious APKs.
Attackers adapt lures to local contexts, including campaigns spoofing tax or government agencies in countries such as Argentina and other regions highlighted by national cyber agencies.
BTMOB impersonates an Argentine government agency(source :.welivesecurity)
Once the victim sideloads the APK, the malware requests extensive permissions and abuses Android’s Accessibility Services to grant itself additional privileges silently.
Once installed, BTMOB establishes command-and-control channels to allow real-time remote administration of the device.
Operators can view the screen, interact with apps, harvest credentials through overlays, intercept messages, and exfiltrate files and device data.
By weaponizing Accessibility Services, BTMOB can manipulate UI elements, approve permissions, and execute actions without user interaction, while also conducting overlay attacks against banking and payment apps to steal credentials and one-time codes.
Fake app store and malicious apps (source :.welivesecurity)
Some variants can download additional modules, extending capabilities based on each campaign’s goals.
Because BTMOB is sold as a builder-based MaaS platform, new payload variants can be generated quickly, enabling rapid turnover of indicators of compromise (IOCs).
Infrastructure IOCs
Domains
arbsniper[.]com
IP Addresses
74.125.202[.]103
142.251.183[.]138
173.194.193[.]138
173.194.206[.]106
178.156.177[.]192
191.101.131[.]250
195.160.221[.]203
104.21.64[.]137
173.194.194[.]94
191.96.224[.]87
191.96.225[.]241
191.96.78[.]172
191.96.78[.]28
191.96.79[.]133
191.96.79[.]179
191.96.79[.]41
192.178.209[.]95
200.9.155[.]153
74.125.132[.]95
78.135.93[.]123
79.133.57[.]141
File Hash IOCs
SHA256 Hashes
58AC130A8EBB09E37592AC69841483EDC5695D1545B1F04F23D5B760AC17CD94
0A542751724A432A8448324613E0CE10393E41739A1800CBB7D5A2C648FCDC35
A764D73795ABE47AE640BA09999A18C47B5340E5ECC7B897AFEBF34F3F37638F
26A2268281E8043125EF72B92F8980B42912048753D56894BC378FB54C7C188A
6AE94CE710016D86ED7457236DEEF2C4C51478587F3609B6E827A348828B3931
E5A9FDFF900DD502E8F3DCE52D2D1B69AA9AFAFB5094A28F9037E8770DB0E63B
C6199E175FB988CBBEACDF0F5ACDF9ED83F5BDAAE5C95B7A6C27EE72CD11B0B1
6BBA64FA9E8A7B11CB2476CD071DE08986DB44B0783EFF211C68FA5594EF8143
5AAAF972C8BF39A98F2748E526DE3CC0370BA831997D7D9765CDABA599645C0D
DDCE0219923D152B8FACD303F058A6286CF1F6924992B9FB9F5BF4D96436CC39
Detection IOCs
ESET Signatures
Android/Agent.FQK
Android/TrojanDropper.Agent.NES
Android/Spy.Agent.EIJ
Android/Spy.Agent.EIK
Android/TrojanDropper.Agent.NDK
Android/Spy.Spysolr.A
Android/Spy.Agent.EUG
Android/Spy.Agent.EWN
Android/Spy.Agent.FFE
Android/Spy.Agent.FFL
Note: IP addresses and domains are intentionally defanged (e.g., [.]) to prevent accidental resolution or hyperlinking. Re-fang only within controlled threat intelligence platforms such as MISP, VirusTotal, or your SIEM.
Security vendors have observed multiple versions, including BTMOB v2.5, within short timeframes, as operators iterate on payloads and evasion techniques.
BTMOB offer on the surface web(source :.welivesecurity)
According to WeLiveSecurity by ESET in a report shared with Cyber Security News, BTMOB-related samples are detected under families such as MSIL/BtmobRat and multiple Android/Spy.Agent or Android/TrojanDropper signatures, reflecting links to earlier SpySolr-based malware.
Analysts warn that leaked or pirated copies circulating on forums could further broaden access and inspire copycat toolchains.
How Can Stay Safe
Defenders are urged to enforce strict app-sourcing policies and raise user awareness.
Organizations should mandate installation only from official stores, block sideloading where possible, and train users to treat unsolicited links and “free” streaming or crypto apps with skepticism.
Mobile security solutions with behavioral detection and accessibility-abuse monitoring can help spot BTMOB-like threats.
While enterprises should treat smartphones as high-value endpoints, they should apply the same logging, EDR-style monitoring, and incident response playbooks used for laptops and servers.
Given BTMOB’s builder-driven evolution, defenders should combine up-to-date IOCs with anomaly-based detection to keep pace with new variants.
Follow us on Google News, LinkedIn, and X to Get More Instant Updates.
Tags
cyber security
cyber security news
Copy URL
Linkedin
Twitter
ReddIt
Telegram
Abinayahttps://cybersecuritynews.com/
Abi is a Security Editor and fellow reporter with Cyber Security News. She is covering various cyber security incidents happening in the Cyber Space.
Trending News
WantToCry Ransomware Abuses SMB Services to Remotely Encrypt Files
Anthropic’s Claude Mythos Preview Uncovers 10,000+ 0-Days in Project Glasswing
Apple’s New Anti-Snatching Feature Will Auto-Lock iPhones When Stolen From Your Hand
Windows Server 2016 Domain Controller May Fail with 15-Character Hostname
Gremlin Stealer Stores C2 URLs and Exfiltration Paths in Encrypted Resource Sections
Latest News
Cyber Security News
GitHub Enterprise Server 3.20.3 Released With Fox for Critical Vulnerabilities
Cyber Security News
Windows Kernel Vulnerability Allows Attackers to Modify Kernel Memory Counters
Press Release
Link11 is fully committed to Europe and is opening a Customer Excellence Hub in Lisbon
Cyber Security News
Seedworm APT Abuses Signed Fortemedia and SentinelOne Binaries for DLL Sideloading
Uncategorized
ROADtools Misused in Cloud Attacks to Steal Tokens and Bypass MFA Controls