{
	"id": "129a09a8-b81d-4709-ae8d-6ae258bc5f6e",
	"created_at": "2026-04-06T00:15:39.847139Z",
	"updated_at": "2026-04-10T13:11:30.841839Z",
	"deleted_at": null,
	"sha1_hash": "081a73120b80975d8405f407192fb7447443ec05",
	"title": "BTMOB RAT – Malware Trends Tracker by ANY.RUN",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 71559,
	"plain_text": "BTMOB RAT – Malware Trends Tracker by ANY.RUN\r\nBy Stanislav Gayvoronsky\r\nArchived: 2026-04-05 21:52:19 UTC\r\nBTMOB RAT: The Android Phantom Hijacking Your Wallet\r\nKey Takeaways\r\n1. Commercial-Grade Mobile Malware: BTMOB RAT operates as Malware-as-a-Service with lifetime\r\nlicenses selling for $5,000, representing a dangerous shift toward professionalized mobile threats with\r\nrapid development cycles.\r\n2. Beyond Traditional Mobile Malware: This isn't just another Android trojan: it combines live screen\r\ncontrol, banking overlay attacks, cryptocurrency theft, and comprehensive surveillance capabilities that\r\nrival desktop RATs.\r\n3. Accessibility Service Weaponization: The malware exploits Android's accessibility features designed for\r\ndisabled users, turning assistive technology into a powerful attack vector that bypasses most traditional\r\nmobile security measures.\r\n4. Financial Services in the Crosshairs: With specialized capabilities targeting Alipay and banking apps\r\nthrough real-time overlay attacks, BTMOB RAT represents a new era of mobile financial fraud that\r\nthreatens both personal and corporate banking security.\r\n5. Defense Strategies: Detect via IOCs like specific domains and behavioral anomalies; prevent with app\r\nvetting, updates, and MTD tools; leverage threat intelligence for proactive blocking and variant tracking.\r\nBTMOB RAT IOCs in Interactive Sandbox Gather BTMOB RAT IOCs in ANY.RUN's Interactive Sandbox\r\nWhat is BTMOB RAT Malware?\r\nBTMOB RAT represents a significant evolution in Android malware, emerging as one of the most sophisticated\r\nRemote Access Trojans targeting mobile devices in 2025. This advanced malware evolved from the SpySolr\r\nfamily and has rapidly gained notoriety for its comprehensive data theft capabilities, remote control features, and\r\nability to bypass modern Android security measures. With over 15 variants identified since December 2024,\r\nBTMOB RAT poses a serious threat to both individual users and organizations worldwide. The malware operates\r\nas a comprehensive Remote Access Trojan specifically designed for Android platforms, leveraging the operating\r\nsystem's Accessibility Service to gain extensive control over infected devices. Unlike traditional mobile malware\r\nthat focuses on single attack vectors, BTMOB RAT combines multiple techniques including credential theft,\r\nremote device control, banking fraud, and data exfiltration capabilities.\r\nWhat sets BTMOB RAT apart from other mobile threats is its sophisticated use of overlay attacks, particularly\r\ntargeting financial applications like Alipay. The latest version (v2.5) incorporates advanced obfuscation techniques\r\nand can perform real-time screen manipulation.\r\nhttps://any.run/malware-trends/btmob/\r\nPage 1 of 6\n\nThe malware is distributed through a Malware-as-a-Service (MaaS) model, with cybercriminals advertising\r\nlifetime licenses for $5,000 through Telegram channels. This commercial approach has accelerated its adoption\r\namong threat actors and contributed to its rapid evolution and widespread distribution.\r\nBTMOB RAT infiltrates via social engineering, primarily phishing sites masquerading as legitimate apps like iNat\r\nTV (e.g., tvipguncelpro.com) or fake WhatsApp mods (e.g., WhatsApp GB). Users are tricked into sideloading\r\nAPKs, which prompt enabling Accessibility Service—framed as necessary for \"enhanced features.\"\r\nSpread occurs through:\r\nPhishing Campaigns: URLs distributed on forums, SMS, or search-engine-indexed fake sites (e.g.,\r\nArgentine tax agency clones).\r\nApp Stores and Mods: Malicious apps on Google Play or third-party stores.\r\nMaaS Distribution: Developers promote via Telegram, enabling affiliates to customize and deploy.\r\nPost-infection, it self-propagates by exfiltrating contacts for SMS phishing or using infected devices to host\r\nphishing pages. Geographic targeting, like Morocco's 2025 alerts, shows adaptation to local lures.\r\nBTMOB RAT Malware Victimology\r\nBTMOB RAT predominantly targets Android users in emerging markets with high mobile banking adoption,\r\nwhere digital financial services are rapidly growing but security awareness lags. In Morocco, it has been a focal\r\npoint of national alerts, affecting smartphone users who enable accessibility features for convenience, leading to\r\nwidespread banking data theft. Morocco ranks third in Africa for web-based threats, with over 12.6 million attack\r\nattempts in 2024, amplifying BTMOB's impact.\r\nGlobally, victims include casual users of streaming or mining apps, as well as financial app users in China (e.g.,\r\nAlipay targets). Recent campaigns have hit Latin America, such as Argentina via fake government sites\r\nimpersonating tax agencies. Over 500,000 installations of similar accessibility-abusing malware were recorded in\r\n2024, suggesting BTMOB's victim pool could number in the tens of thousands by September 2025. Businesses in\r\nretail and finance are indirect victims through employee devices, but primary targets remain individual consumers\r\nvulnerable to phishing.\r\nHow BTMOB RAT Functions\r\nThe trojan operates through several sophisticated mechanisms:\r\nAccessibility Service Abuse:\r\nIt exploits Android's Accessibility Service, originally designed to help users with disabilities, to gain broad system\r\npermissions and control over user interface elements.\r\nOverlay Attacks:\r\nBTMOB RAT creates transparent or semi-transparent overlays on legitimate applications, particularly banking and\r\npayment apps, to capture user credentials and sensitive information without detection.\r\nhttps://any.run/malware-trends/btmob/\r\nPage 2 of 6\n\nRemote Administration:\r\nThe malware establishes persistent command and control (C\u0026C) communication channels, allowing attackers to\r\nremotely execute commands, update malware components, and extract data in real-time.\r\nDynamic Code Loading:\r\nAdvanced variants can download and execute additional malicious modules, expanding their capabilities based on\r\nspecific attack objectives.\r\nAnti-Detection Techniques:\r\nThe malware employs multiple evasion techniques including code obfuscation, runtime application self-protection\r\n(RASP), and behavioral analysis evasion to avoid detection by security solutions.\r\nData Exfiltration:\r\nStolen information is encrypted and transmitted to attacker-controlled servers through various channels, including\r\nHTTPS connections to legitimate-looking domains.\r\nBTMOB RAT Attack Example and Technical Analysis\r\nA dynamic analysis of a BTMOB sample in ANY.RUN’s Interactive Sandbox reveals key operating mechanisms\r\nand network activity of the malware.\r\nView analysis\r\nBTMOB RAT analysis in Interactive Sandbox BTMOB RAT sample analysis in the Interactive Sandbox\r\nNetwork Activity and Encryption\r\nAnalysis of network traffic revealed the malware’s attempts to establish a connection with the command and\r\ncontrol (C\u0026C) server via hxxx [://] ip/yaarsa/private/yarsap_80541 [.] php. A characteristic sequence of requests is\r\nobserved: an initial HEAD request, followed by a repeated HEAD after a pause, which is part of the handshake\r\nconnection establishment mechanism and server availability check.\r\nBTMOB RAT network connection attempts BTMOB RAT sample analysis in the Interactive Sandbox\r\nAll commands and data are transmitted through an encrypted channel, which complicates analysis of the payload.\r\nTo protect its configuration and the collected data, the malware actively uses cryptographic APIs.\r\nBTMOB RAT uses encryption technique Encryption technique used by BTMOB RAT\r\nConfiguration File and Management\r\nBTMOB RAT stores its configuration in the system SharedPreferences storage in XML format. The configuration\r\nfile contains a complex map of boolean values, where each parameter defines the malware's functionality.\r\nhttps://any.run/malware-trends/btmob/\r\nPage 3 of 6\n\nBTMOB RAT configuration file in Interactive Sandbox BTMOB RAT configuration file contents visible in\r\nInteractive Sandbox\r\nPersistence and Privilege Escalation Mechanisms\r\nAggressive permission acquisition appears to be the key attack vector. The malware doesn't simply request access\r\nbut manipulates the interface using Input Injection to automatically press the \"Allow\" button.\r\nBTMOB RAT uses input injection BTMOB RAT detected to use Input Injection technique\r\nOnce access is obtained, it gains control over the device, including implementing the Prevent Application\r\nRemoval mechanism, intercepting events in Android Settings to block its own uninstallation.\r\nTo ensure continuous operation, the malware creates a background service immediately after launch and uses\r\nWakeLock, preventing the device from entering sleep mode. Additionally, it checks the lock screen state, which\r\nincreases its stealth.\r\nData Collection and Malicious Activity\r\nBefore performing its main tasks, the malware conducts comprehensive reconnaissance: collects a list of installed\r\napplications, analyzes running processes, and obtains system data. This allows the operator to adapt the attack to\r\nthe specific device.\r\nImportant malicious activity is conducting overlay attacks. The malware overlays phishing windows on legitimate\r\napplications, primarily banking and cryptocurrency ones, to steal credentials, PIN codes, and two-factor\r\nauthentication.\r\nYou can view the succession of the above-mentioned processes in ANY.RUN’s Sandbox as a process tree with\r\nevery behavior’s description.\r\nBTMOB RAT’s malicious processes BTMOB RAT’s malicious processes\r\nGet started today for free\r\nAnalyze malware and phishing in a fully-interactive sandbox\r\nCreate free account\r\nNotable BTMOB RAT Attacks\r\nWhile specific large-scale BTMOB attacks are still emerging due to its recent discovery, several notable patterns\r\nhave been identified:\r\nStreaming Service Impersonation Campaigns:\r\nMultiple campaigns have been observed where attackers created sophisticated fake websites mimicking popular\r\nstreaming platforms, leading to thousands of downloads before detection.\r\nhttps://any.run/malware-trends/btmob/\r\nPage 4 of 6\n\nCryptocurrency Mining Fraud:\r\nSignificant campaigns targeting cryptocurrency enthusiasts through fake mining applications have resulted in\r\nsubstantial financial losses and credential theft.\r\nAlipay PIN Theft Operations:\r\nRecent versions specifically targeting Alipay users have demonstrated the malware's evolution toward financial\r\nfraud, with overlay attacks successfully capturing payment credentials.\r\nCorporate Device Compromises:\r\nSeveral incidents have been reported where employee devices were compromised through entertainment-focused\r\nphishing, leading to broader organizational security concerns.\r\nThese examples demonstrate the malware's versatility and the threat actors' ability to adapt their tactics based on\r\ncurrent trends and user interests.\r\nGathering Threat Intelligence on BTMOB RAT Malware\r\nThreat intelligence plays a crucial role in defending against BTMOB RAT:\r\nProactive Threat Detection: Intelligence feeds provide early warning indicators of new BTMOB RAT\r\ncampaigns, enabling organizations to implement protective measures before attacks reach their\r\nenvironments.\r\nAttribution and Campaign Tracking: Threat intelligence helps identify the tactics, techniques, and\r\nprocedures (TTPs) used by BTMOB RAT operators, enabling better prediction and prevention of future\r\nattacks.\r\nContextual Analysis: Intelligence provides crucial context about BTMOB RAT variants, helping security\r\nteams understand the specific threats relevant to their organization and user base.\r\nPredictive Security: Advanced threat intelligence can help predict likely evolution paths for BTMOB\r\nRAT, enabling proactive security measure implementation.\r\nStart gathering intelligence by searching BTMOB in ANY.RUN’s Threat Intelligence Lookup. View the RAT’s\r\nfresh sample analyses to understand TTPs and harvest IOCs:\r\nthreatName:\"btmob\"\r\nBTMOB RAT’s samples found via Threat Intelligence Lookup BTMOB RAT’s samples found via Threat\r\nIntelligence Lookup\r\nThreat Intelligence Lookup is available for free: collect indicators, browse sandbox detonations quick and easy.\r\nIntegrate ANY.RUN’s threat intelligence solutions in your company\r\nContact us\r\nhttps://any.run/malware-trends/btmob/\r\nPage 5 of 6\n\nConclusion\r\nBTMOB RAT remains a versatile and dangerous remote access Trojan capable of damaging both individuals and\r\nenterprises. Its modular architecture, stealthy operations, and adaptability make it a prime tool for cybercriminals\r\nand APT actors alike. Proactive defense powered by advanced detection, prevention strategies, and real-time\r\nthreat intelligence is essential to reduce risks and prevent devastating breaches.\r\nSign up to use ANY.RUN’s TI Lookup for free: gather fresh actionable threat intelligence for timely detection and\r\nresponse.\r\nSource: https://any.run/malware-trends/btmob/\r\nhttps://any.run/malware-trends/btmob/\r\nPage 6 of 6",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia"
	],
	"origins": [
		"web"
	],
	"references": [
		"https://any.run/malware-trends/btmob/"
	],
	"report_names": [
		"btmob"
	],
	"threat_actors": [
		{
			"id": "75108fc1-7f6a-450e-b024-10284f3f62bb",
			"created_at": "2024-11-01T02:00:52.756877Z",
			"updated_at": "2026-04-10T02:00:05.273746Z",
			"deleted_at": null,
			"main_name": "Play",
			"aliases": null,
			"source_name": "MITRE:Play",
			"tools": [
				"Nltest",
				"AdFind",
				"PsExec",
				"Wevtutil",
				"Cobalt Strike",
				"Playcrypt",
				"Mimikatz"
			],
			"source_id": "MITRE",
			"reports": null
		}
	],
	"ts_created_at": 1775434539,
	"ts_updated_at": 1775826690,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/081a73120b80975d8405f407192fb7447443ec05.pdf",
		"text": "https://archive.orkl.eu/081a73120b80975d8405f407192fb7447443ec05.txt",
		"img": "https://archive.orkl.eu/081a73120b80975d8405f407192fb7447443ec05.jpg"
	}
}