CyberIntel ⬡ News
★ Saved ◆ Cyber Reads
← Back ◇ Industry News & Leadership May 27, 2026

New BTMOB Malware Lets Attackers Remotely Control Android Devices

Cybersecurity News Archived May 27, 2026 ✓ Full text saved

New Android malware dubbed BTMOB is arming even low-skilled attackers with full remote control over infected phones by combining a powerful RAT engine with a no-code campaign builder toolkit. The threat, first seen in 2025, is now evolving rapidly through a malware-as-a-service (MaaS) model and active phishing campaigns worldwide. BTMOB is an Android remote access […] The post New BTMOB Malware Lets Attackers Remotely Control Android Devices appeared first on Cyber Security News .

Full text archived locally
✦ AI Summary · Claude Sonnet


    HomeAndroid New BTMOB Malware Lets Attackers Remotely Control Android Devices By Abinaya May 27, 2026 New Android malware dubbed BTMOB is arming even low-skilled attackers with full remote control over infected phones by combining a powerful RAT engine with a no-code campaign builder toolkit. The threat, first seen in 2025, is now evolving rapidly through a malware-as-a-service (MaaS) model and active phishing campaigns worldwide. BTMOB is an Android remote access trojan (RAT) that evolved from the SpySolr family and was first documented in early 2025. Unlike classic banking trojans focused only on financial data, BTMOB is designed for full device surveillance and control. BTMOB APK creation tool (source :.welivesecurity) The malware can exfiltrate a wide range of sensitive data, capture screenshots, record on-device activity, and give operators persistent remote access to the compromised phone. Researchers note that its capabilities rival those of desktop-grade RATs, making it a high-impact threat to both consumers and enterprises. A key feature that sets BTMOB apart is its commercial packaging as a MaaS product with an integrated APK builder. Buyers can generate new malicious APK payloads and customize phishing lures for specific countries without writing any code, drastically lowering the barrier to entry. The tool is marketed via a promotional page on the open web that funnels buyers to Telegram, along with seller accounts on social platforms like X and Instagram.  X profile linked to the malware(source :.welivesecurity) Reports indicate lifetime licenses around 5,000 USD, a relatively low cost compared to the potential fraud profits a successful campaign can generate. BTMOB Malware Hijacks Android Devices BTMOB relies heavily on social engineering and phishing-led delivery. Operators steer victims to phishing sites that impersonate streaming services, cryptocurrency platforms, or other familiar brands, then redirect them to fake app stores pushing malicious APKs. Attackers adapt lures to local contexts, including campaigns spoofing tax or government agencies in countries such as Argentina and other regions highlighted by national cyber agencies. BTMOB impersonates an Argentine government agency(source :.welivesecurity) Once the victim sideloads the APK, the malware requests extensive permissions and abuses Android’s Accessibility Services to grant itself additional privileges silently. Once installed, BTMOB establishes command-and-control channels to allow real-time remote administration of the device. Operators can view the screen, interact with apps, harvest credentials through overlays, intercept messages, and exfiltrate files and device data. By weaponizing Accessibility Services, BTMOB can manipulate UI elements, approve permissions, and execute actions without user interaction, while also conducting overlay attacks against banking and payment apps to steal credentials and one-time codes. Fake app store and malicious apps (source :.welivesecurity) Some variants can download additional modules, extending capabilities based on each campaign’s goals. Because BTMOB is sold as a builder-based MaaS platform, new payload variants can be generated quickly, enabling rapid turnover of indicators of compromise (IOCs). Infrastructure IOCs Domains arbsniper[.]com IP Addresses 74.125.202[.]103 142.251.183[.]138 173.194.193[.]138 173.194.206[.]106 178.156.177[.]192 191.101.131[.]250 195.160.221[.]203 104.21.64[.]137 173.194.194[.]94 191.96.224[.]87 191.96.225[.]241 191.96.78[.]172 191.96.78[.]28 191.96.79[.]133 191.96.79[.]179 191.96.79[.]41 192.178.209[.]95 200.9.155[.]153 74.125.132[.]95 78.135.93[.]123 79.133.57[.]141 File Hash IOCs SHA256 Hashes 58AC130A8EBB09E37592AC69841483EDC5695D1545B1F04F23D5B760AC17CD94 0A542751724A432A8448324613E0CE10393E41739A1800CBB7D5A2C648FCDC35 A764D73795ABE47AE640BA09999A18C47B5340E5ECC7B897AFEBF34F3F37638F 26A2268281E8043125EF72B92F8980B42912048753D56894BC378FB54C7C188A 6AE94CE710016D86ED7457236DEEF2C4C51478587F3609B6E827A348828B3931 E5A9FDFF900DD502E8F3DCE52D2D1B69AA9AFAFB5094A28F9037E8770DB0E63B C6199E175FB988CBBEACDF0F5ACDF9ED83F5BDAAE5C95B7A6C27EE72CD11B0B1 6BBA64FA9E8A7B11CB2476CD071DE08986DB44B0783EFF211C68FA5594EF8143 5AAAF972C8BF39A98F2748E526DE3CC0370BA831997D7D9765CDABA599645C0D DDCE0219923D152B8FACD303F058A6286CF1F6924992B9FB9F5BF4D96436CC39 Detection IOCs ESET Signatures Android/Agent.FQK Android/TrojanDropper.Agent.NES Android/Spy.Agent.EIJ Android/Spy.Agent.EIK Android/TrojanDropper.Agent.NDK Android/Spy.Spysolr.A Android/Spy.Agent.EUG Android/Spy.Agent.EWN Android/Spy.Agent.FFE Android/Spy.Agent.FFL Note: IP addresses and domains are intentionally defanged (e.g., [.]) to prevent accidental resolution or hyperlinking. Re-fang only within controlled threat intelligence platforms such as MISP, VirusTotal, or your SIEM. Security vendors have observed multiple versions, including BTMOB v2.5, within short timeframes, as operators iterate on payloads and evasion techniques. BTMOB offer on the surface web(source :.welivesecurity) According to WeLiveSecurity by ESET in a report shared with Cyber Security News, BTMOB-related samples are detected under families such as MSIL/BtmobRat and multiple Android/Spy.Agent or Android/TrojanDropper signatures, reflecting links to earlier SpySolr-based malware. Analysts warn that leaked or pirated copies circulating on forums could further broaden access and inspire copycat toolchains. How Can Stay Safe Defenders are urged to enforce strict app-sourcing policies and raise user awareness. Organizations should mandate installation only from official stores, block sideloading where possible, and train users to treat unsolicited links and “free” streaming or crypto apps with skepticism. Mobile security solutions with behavioral detection and accessibility-abuse monitoring can help spot BTMOB-like threats. While enterprises should treat smartphones as high-value endpoints, they should apply the same logging, EDR-style monitoring, and incident response playbooks used for laptops and servers. Given BTMOB’s builder-driven evolution, defenders should combine up-to-date IOCs with anomaly-based detection to keep pace with new variants. Follow us on Google News, LinkedIn, and X to Get More Instant Updates. Tags cyber security cyber security news Copy URL Linkedin Twitter ReddIt Telegram Abinayahttps://cybersecuritynews.com/ Abi is a Security Editor and fellow reporter with Cyber Security News. She is covering various cyber security incidents happening in the Cyber Space. Trending News WantToCry Ransomware Abuses SMB Services to Remotely Encrypt Files Anthropic’s Claude Mythos Preview Uncovers 10,000+ 0-Days in Project Glasswing Apple’s New Anti-Snatching Feature Will Auto-Lock iPhones When Stolen From Your Hand Windows Server 2016 Domain Controller May Fail with 15-Character Hostname Gremlin Stealer Stores C2 URLs and Exfiltration Paths in Encrypted Resource Sections Latest News Cyber Security News GitHub Enterprise Server 3.20.3 Released With Fox for Critical Vulnerabilities Cyber Security News Windows Kernel Vulnerability Allows Attackers to Modify Kernel Memory Counters Press Release Link11 is fully committed to Europe and is opening a Customer Excellence Hub in Lisbon Cyber Security News Seedworm APT Abuses Signed Fortemedia and SentinelOne Binaries for DLL Sideloading Uncategorized ROADtools Misused in Cloud Attacks to Steal Tokens and Bypass MFA Controls
    💬 Team Notes
    Article Info
    Source
    Cybersecurity News
    Category
    ◇ Industry News & Leadership
    Published
    May 27, 2026
    Archived
    May 27, 2026
    Full Text
    ✓ Saved locally
    Open Original ↗