{
	"id": "cc761ae1-c166-43f8-8789-1f2685a55396",
	"created_at": "2026-04-06T00:17:20.768734Z",
	"updated_at": "2026-04-10T13:13:06.728399Z",
	"deleted_at": null,
	"sha1_hash": "7231b9ee4606a747ce58b8e0f3bfd2ae23aad213",
	"title": "BTMOB RAT Newly Discovered Android Malware",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 3872478,
	"plain_text": "BTMOB RAT Newly Discovered Android Malware\r\nPublished: 2025-02-12 · Archived: 2026-04-05 13:01:09 UTC\r\nCyble analyzes BTMOB RAT, advanced Android malware actively spreading via phishing sites, leveraging\r\nAccessibility Services to steal credentials, control devices remotely, and execute various malicious activities.\r\nKey Takeaways\r\nBTMOB RAT is an advanced Android malware evolved from SpySolr that features remote control,\r\ncredential theft, and data exfiltration.\r\nIt spreads via phishing sites impersonating streaming services like iNat TV and fake mining platforms.\r\nThe malware abuses Android’s Accessibility Service to unlock devices, log keystrokes, and automate\r\ncredential theft through injections.\r\nIt uses WebSocket-based C\u0026C communication for real-time command execution and data theft.\r\nBTMOB RAT supports various malicious actions, including live screen sharing, file management, audio\r\nrecording, and web injections.\r\nThe Threat Actor (TA) actively markets the malware on Telegram, offering paid licenses and continuous\r\nupdates, making it an evolving and persistent threat.\r\nOverview\r\nOn January 31, 2025, Cyble Research and Intelligence Labs (CRIL) identified a sample lnat-tv-pro.apk\r\n(13341c5171c34d846f6d0859e8c45d8a898eb332da41ab62bcae7519368d2248) being distributed via a phishing\r\nsite “hxxps://tvipguncelpro[.]com/” impersonating iNat TV – online streaming platform from Turkey posing a\r\nserious threat to unsuspecting users.\r\nFigure 1 – Phishing site distributing this malicious APK file\r\nhttps://cyble.com/blog/btmob-rat-newly-discovered-android-malware/\r\nPage 1 of 19\n\nOn VirusTotal, the sample was flagged by Spysolr malware detection, which is based on Crax RAT, developed by\r\nthe Threat Actor EVLF. During our analysis, we also checked the official Spysolr Telegram channel, where the TA\r\nannounced a new project called “BTMOB RAT.”\r\nWorld's Best AI-Native Threat Intelligence\r\nFigure 2 – BTMOB RAT announcement on the SpySolr Telegram Channel\r\nhttps://cyble.com/blog/btmob-rat-newly-discovered-android-malware/\r\nPage 2 of 19\n\nThe malware sample downloaded from the phishing site demonstrated typical RAT behavior, establishing a\r\nWebSocket connection with a Command and Control (C\u0026C) server at hxxp://server[.]yaarsa.com/con. The request\r\nbody revealed the “BTMOB” string along with version number “BT-v2.5”, confirming that the sample is indeed\r\nthe latest version of BTMOB RAT.\r\nFigure 3 – Request body containing the reference of a BTMOB String\r\nThrough their Telegram channel, the TA has been advertising BTMOB RAT, highlighting its capabilities, including\r\nlive screen control, keylogging, injections, lock feature, and collecting various data from infected devices. The\r\nactor is offering a lifetime license for $5,000 (in a one-time payment) with an additional $300 per month for\r\nupdates and support for the latest version of this malware.\r\nhttps://cyble.com/blog/btmob-rat-newly-discovered-android-malware/\r\nPage 3 of 19\n\nFigure 4 – BTMOB RAT advertisement on the Threat Actor’s Telegram channel\r\nSince late January 2025, we have identified approximately 15 samples of BTMOB RAT (v2.5) in circulation.\r\nEarlier variants, active since December 2024, were associated with SpySolr malware, which communicated with\r\nhxxps://spysolr[.]com/private/SpySolr_80541.php.\r\nThe latest BTMOB RAT version exhibits a similar C\u0026C structure and codebase, indicating that it is an upgraded\r\nversion of SpySolr malware.\r\nAn additional BTMOB RAT sample was shared by MalwareHunterTeam and identified by 0x6rss.\r\nLike many other Android malware variants, the BTMOB RAT leverages the Accessibility service to carry out its\r\nmalicious actions. The following section provides a detailed overview of these activities.\r\nhttps://cyble.com/blog/btmob-rat-newly-discovered-android-malware/\r\nPage 4 of 19\n\nTechnical Details\r\nUpon installation, the malware displays a screen urging the user to enable the Accessibility Service. Once the user\r\nturns on the Accessibility Service, the malware proceeds to grant the requested permissions automatically.\r\nFigure 5 – Prompting the victim to grant Accessibility Service access\r\nMeanwhile, the malware connects to the C\u0026C server at\r\n“hxxp://78[.]135.93.123/yaarsa/private/yarsap_80541.php,” which follows a structure similar to the Spysolr\r\nmalware. Once connected, it initiates a WebSocket connection for server-client communication and transmits\r\nJSON data containing the device ID (pid), BotID (idf), connection type (subc), and a message (msg).\r\nThe image below illustrates the “join” connection type request sent to the server, after which the client receives a\r\n“Connected” response with the “type” value in JSON.\r\nFigure 6 – WebSocket Connection\r\nOver the course of our analysis, we observed that the malware receives 5 different responses for value “type” as\r\nlisted below:\r\nType Description\r\nhttps://cyble.com/blog/btmob-rat-newly-discovered-android-malware/\r\nPage 5 of 19\n\nproxy Establish other WebSocket connection\r\nstop Stops activity based on server response\r\njoin Sends a join message along with device ID and bot ID\r\ncom The malware receives various commands through this response type\r\nconnected The server sends this response upon successful connection establishment\r\nUnauthorized access The server sends this response when the client fails to register the device\r\nAfter successfully establishing a WebSocket connection, the malware transmits device-related information,\r\nincluding the device name, OS version, model, battery status, wallpaper, malicious app version number, and the\r\nstatus of malicious activities such as key logs, visited apps, visited links, notifications, and other activities.\r\nFigure 7 – Sending device information to the TA’s server\r\nThe malware receives commands from the server using the “com” response type. The first command it received\r\nwas “optns.” Along with this command, the server transmits the activity status to be initiated, which the malware\r\nthen stores in a shared preference file.\r\nFigure 8 – “optns” command\r\nOur analysis revealed that the malware receives a total of 16 commands from the server, each of which is listed\r\nbelow, along with its description.\r\nCommand Description\r\noptns Get action status to enable malicious activities\r\nhttps://cyble.com/blog/btmob-rat-newly-discovered-android-malware/\r\nPage 6 of 19\n\nfetch\r\nCollects the mentioned file in the response or device phone number based on the\r\nsub-command\r\nbrows Loads URL into WebView, and perform actions based on JavaScript\r\nlock\r\nReceives lock pin and other details related to lock, and saves them to the Shared\r\nPreference variable\r\nject Manages injection\r\nfile Manages file operations\r\nclip Collects clipboard content\r\nchat\r\nDisplays a window with the message received from the server, gets the reply\r\nentered in the edit field, and sends to the server\r\nwrk\r\nReceives additional commands to perform other activities such as collecting\r\nSMS, contacts, location, files, managing audio settings, launching activity, and\r\nmany other\r\nsrh Search file\r\nmic Records audio\r\nadd\r\nGet all collected data, including keylogs, active injections, links, device\r\ninformation, wallpaper, and SIM information\r\nbc\r\nOpens alert Window or displays notification with the message received from the\r\nserver\r\nupload Downloads injection files\r\nscreen Handles live screen activity\r\nscread Collects content from the screen\r\nbrows Command\r\nThe primary function of this command is to load a URL or HTML content into the WebView and execute actions\r\nlike collecting input, clicking, and scrolling using JavaScript.\r\nWhen the malware receives a “brows” command, the server sends additional parameters within a JSON object,\r\nincluding “ltype” and “extdata”. The “ltype“ parameter dictates specific actions for the malware, such as loading\r\na URL or HTML code into the WebView, keeping a record of visited websites, along with timestamps and input\r\ndata, and transmitting the collected data, as illustrated in Figures 9 and 10.\r\nhttps://cyble.com/blog/btmob-rat-newly-discovered-android-malware/\r\nPage 7 of 19\n\nFigure 9 – “ltype” actions\r\nFigure 10 – Loading HTML code or URL into WebView\r\nOnce the malware loads a URL or HTML code into the WebView, it runs JavaScript to collect user-entered data\r\nfrom the webpage. The extracted information, which may include sensitive details like login credentials, along\r\nwith the date and website link, is then stored in a JSON object.\r\nOnce the data is collected, it is saved in a map variable and later transmitted to the C\u0026C server when the malware\r\nreceives the “lp” value through the “ltype” parameter.\r\nhttps://cyble.com/blog/btmob-rat-newly-discovered-android-malware/\r\nPage 8 of 19\n\nFigure 11 – Using JavaScript to get input details\r\nThe malware can receive additional commands through the “extdata” parameter, which includes actions such as\r\nscrolling, clicking, entering text, navigating, and loading another URL.\r\nThe “text” and “enter” actions are executed using JavaScript, while navigation, scroll, and other movement-based actions are carried out using Motion events.\r\nFigure 12 – Additional actions performed via the “extdata” parameter\r\nThis feature enables the malware to steal login credentials while also providing various options to automate the\r\ncredential theft process.\r\nscreen Command\r\nWhen the malware initially receives the “optns” command, it checks the live screen activity status to determine\r\nwhether to proceed. Based on this status, the malware then initiates screen capture using Media Projection.\r\nhttps://cyble.com/blog/btmob-rat-newly-discovered-android-malware/\r\nPage 9 of 19\n\nFigure 13 – Screen capturing using Media Projection\r\nTo perform live actions, the malware receives the command “screen” along with different actions as listed below:\r\nL: With this action, the malware receives a “lock” value, determining whether to lock or unlock the device.\r\nIt checks the lock type (PIN, password, or pattern) and unlocks the device accordingly.\r\nFigure 14 – lock/unlock function\r\nIf the device is locked with a password, the malware retrieves the saved password from the “mob_lck” shared\r\npreference variable, which was previously extracted during “LockActivity”. It then enters the password using\r\n“ACTION_ARGUMENT_SET_TEXT_CHARSEQUENCE”, as shown in the figure below.\r\nhttps://cyble.com/blog/btmob-rat-newly-discovered-android-malware/\r\nPage 10 of 19\n\nFigure 15 – Unlocks device using the password\r\nIf the device is locked with a pattern or PIN, the malware retrieves the pattern coordinates or PIN digits and uses\r\nthe dispatchGesture API to either draw the pattern or simulate taps on the PIN keypad to unlock the device.\r\nFigure 16 – Unlocks device using lock pattern\r\nQ: Receives the compression quality number to control the quality of screen content\r\nkb: Controls keyboard state\r\nmov: Moves the cursor on the screen using specified x and y coordinates.\r\nnav: Executes navigation actions such as returning to the home screen, switching to recent apps, or going\r\nback.\r\nvol: Adjusts the device’s audio volume.\r\nsnap: Captures a screenshot.\r\nblock: Displays a black screen to conceal live screen activity from the victim.\r\npaste: Gets the text from the server and enters it using\r\n“ACTION_ARGUMENT_SET_TEXT_CHARSEQUENCE”\r\nhttps://cyble.com/blog/btmob-rat-newly-discovered-android-malware/\r\nPage 11 of 19\n\nsklecolor: Receives a color code to change the color of rectangular boundaries using Accessibility Service\r\nAPI\r\nskilton: Turns on the service responsible for capturing screen content\r\nject Command\r\nThe malware utilizes the “ject” command to manage injection activities, including removing the injection list,\r\ncollecting extracted data during injection, and deleting the extracted injection data from the device.\r\nFigure 17 – ject command operation\r\nThe malware maintains an ArrayList “d” to store target application package names, injection paths, and data\r\ncollected from injection activities. It uses the “upload” command to download an injection ZIP file into the\r\n“/protected” directory. The ZIP file is then extracted, and its contents are saved using the “jctid” filename\r\nreceived from the server.\r\nhttps://cyble.com/blog/btmob-rat-newly-discovered-android-malware/\r\nPage 12 of 19\n\nFigure 18 – Downloading injection files\r\nThe malware retrieves the package name of the currently running application and checks if it exists in its list. If a\r\nmatch is found, it loads the corresponding injection HTML file from the “/protected” directory and launches\r\n“WebInjector.class” to execute the injection.\r\nFigure 19 – Initiating injection activity\r\nThe WebInjector class loads the injected HTML phishing page into a WebView. When the user enters their\r\ncredentials on this fake page, the malware captures the input and sends it to the C\u0026C server.\r\nhttps://cyble.com/blog/btmob-rat-newly-discovered-android-malware/\r\nPage 13 of 19\n\nFigure 20 – Loading HTML injection page into the Webview\r\nwrk Command\r\nWhen the malware receives a “wrk” command, it also gets a parameter called “cmnd”, which includes additional\r\ninstructions for executing various malicious activities.\r\nhttps://cyble.com/blog/btmob-rat-newly-discovered-android-malware/\r\nPage 14 of 19\n\nFigure 21 – Receiving additional commands via the “wrk” command\r\nThis command enables the malware to perform various malicious activities, including:\r\nCollecting contacts, SMS, location data, installed apps, thumbnails, and device information.\r\nControlling audio settings.\r\nRequesting permissions.\r\nExecuting shell commands.\r\nManaging files (deleting, renaming, creating, encrypting, or decrypting).\r\nTerminating services.\r\nTaking screenshots.\r\nStealing images.\r\nConclusion\r\nBTMOB RAT, an evolution of the SpySolr malware, poses a significant threat to Android users by leveraging\r\nAccessibility Services to perform a wide range of malicious activities. From stealing login credentials through\r\nWebView injections to manipulating screen content, collecting sensitive data, and even unlocking devices\r\nremotely, this malware demonstrates a high level of sophistication.\r\nThis potent malware uses WebSocket communication with a C\u0026C server to allow real-time command execution,\r\nmaking it a powerful tool for cybercriminals. The malware’s distribution through phishing websites and continuous\r\nupdates by the threat actor indicate an ongoing effort to enhance its capabilities and evade detection.\r\nOur Recommendations\r\nWe have listed some essential cybersecurity best practices that create the first line of control against attackers. We\r\nrecommend that our readers follow the best practices given below:\r\nDownload and install software only from official app stores like Google Play Store or the iOS App Store.\r\nUse a reputed anti-virus and internet security software package on your connected devices, such as PCs,\r\nlaptops, and mobile devices.\r\nUse strong passwords and enforce multi-factor authentication wherever possible.\r\nEnable biometric security features such as fingerprint or facial recognition for unlocking the mobile device\r\nwhere possible.\r\nBe wary of opening any links received via SMS or emails delivered to your phone.\r\nEnsure that Google Play Protect is enabled on Android devices.\r\nBe careful while enabling any permissions.\r\nKeep your devices, operating systems, and applications updated.\r\nMITRE ATT\u0026CK® Techniques\r\nTactics Technique ID Procedure\r\nhttps://cyble.com/blog/btmob-rat-newly-discovered-android-malware/\r\nPage 15 of 19\n\nInitial Access\r\n(TA0027)\r\nPhishing (T1660) Malware distribution via phishing site\r\nPersistence\r\n(TA0028)\r\nEvent-Triggered\r\nExecution: Broadcast\r\nReceivers (T1624.001)\r\nBTMOB listens for the\r\nBOOT_COMPLETED intent to\r\nautomatically launch after the device\r\nrestarts.\r\nDefense\r\nEvasion\r\n(TA0030)\r\nMasquerading: Match\r\nLegitimate Name or Location\r\n(T1655.001)\r\nMalware pretending to be a genuine\r\napplication\r\nDefense\r\nEvasion\r\n(TA0030)\r\nApplication Discovery\r\n(T1418)\r\nCollects installed application package\r\nname list to identify target\r\nDefense\r\nEvasion\r\n(TA0030)\r\nHide Artifacts: Suppress\r\nApplication Icon (T1628.001)\r\nHides application icon\r\nDefense\r\nEvasion\r\n(TA0030)\r\nObfuscated Files or\r\nInformation (T1406)\r\nBTMOB has used string obfuscation\r\nDefense\r\nEvasion\r\n(TA0030)\r\nInput Injection (T1516)\r\nMalware can mimic user interaction,\r\nperform clicks and various gestures, and\r\ninput data\r\nCredential\r\nAccess\r\n(TA0031)\r\nClipboard Data (T1414) Collects clipboard data\r\nCredential\r\nAccess\r\n(TA0031)\r\nInput Capture: Keylogging\r\n(T1417.001)\r\nBTMOB can collect credentials via\r\nkeylogging\r\nDiscovery\r\n(TA0032)\r\nFile and Directory Discovery\r\n(T1420)\r\nBTMOB enumerates files and directories\r\non external storage\r\nDiscovery\r\n(TA0032)\r\nProcess Discovery (T1424)\r\nThe malware checks the currently\r\nrunning application in the foreground\r\nwith the help of the Accessibility Service\r\nDiscovery\r\n(TA0032)\r\nSoftware Discovery (T1418) Collects installed application list\r\nhttps://cyble.com/blog/btmob-rat-newly-discovered-android-malware/\r\nPage 16 of 19\n\nDiscovery\r\n(TA0032)\r\nSystem Information\r\nDiscovery (T1426)\r\nCollects device information such as\r\ndevice name, model, manufacturer, and\r\ndevice ID\r\nDiscovery\r\n(TA0032)\r\nSystem Network\r\nConfiguration Discovery\r\n(T1422)\r\nMalware collects IP and SIM information\r\nCollection\r\n(TA0035)\r\nAudio Capture (T1429)\r\nMalware captures audio using the “mic”\r\ncommand\r\nCollection\r\n(TA0035)\r\nData from Local System\r\n(T1533)\r\nCollects files from external storage\r\nCollection\r\n(TA0035)\r\nProtected User Data: Contact\r\nList (T1636.003)\r\nBTMOB collects contacts from the\r\ninfected device\r\nCollection\r\n(TA0035)\r\nProtected User Data: SMS\r\nMessages (T1636.004)\r\nCollects SMSs\r\nCollection\r\n(TA0035)\r\nScreen Capture (T1513)\r\nMalware records screen using Media\r\nProjection\r\nCommand and\r\nControl\r\n(TA0037)\r\nApplication Layer Protocol:\r\nWeb Protocols (T1437.001)\r\nBTMOB uses HTTP to communicate\r\nwith the C\u0026C server\r\nExfiltration\r\n(TA0036)\r\nExfiltration Over C2 Channel\r\n(T1646)\r\nSending exfiltrated data over C\u0026C server\r\nImpact\r\n(TA0034)\r\nData Encrypted for Impact\r\n(T1471)\r\nMalware can encrypt files on the device\r\nusing AES\r\nIndicators of Compromise (IOCs)\r\nIndicators\r\nIndicator\r\nType\r\nDescription\r\n8dbfcf6b67ee6c5821564bf4228099beaf5f40e4a87118cbb1e52d8f01312f40  \r\nSHA256\r\n \r\nAnalyzed\r\nBTMOB\r\nRAT\r\nd7b115003784ac2a595083795abffe68d834cdf0 SHA1\r\nAnalyzed\r\nBTMOB\r\nRAT\r\nhttps://cyble.com/blog/btmob-rat-newly-discovered-android-malware/\r\nPage 17 of 19\n\ncb801ef4d92394f984f726c9fc4f8315 MD5\r\nAnalyzed\r\nBTMOB\r\nRAT\r\nhxxp://78[.]135.93.123/yaarsa/private/yarsap_80541.php URL C\u0026C server\r\nhxxp://78[.]135.93.123:8080 URL\r\nWebSocket\r\n connection\r\nURL\r\nhxxps://tvipguncelpro[.]com/ URL\r\nPhishing\r\nURL\r\n13341c5171c34d846f6d0859e8c45d8a898eb332da41ab62bcae7519368d2248\r\n \r\nSHA256\r\n \r\nAnalyzed\r\nBTMOB\r\nRAT\r\n23e6d0fd3bbc71c0188acab43d454c39fa56d206 SHA1\r\nAnalyzed\r\nBTMOB\r\nRAT\r\ne54490097af9746e375b87477b1ffd2d MD5\r\nAnalyzed\r\nBTMOB\r\nRAT\r\nhxxp://server[.]yaarsa.com/con URL\r\nWebSocket\r\nconnection\r\nURL\r\nb053a3d68abb27e91c2caf5412de7868fe50c7506e1f9314fee4c26285db7f59\r\nb053a3d68abb27e91c2caf5412de7868fe50c7506e1f9314fee4c26285db7f59\r\nbb20f2bfb78fd5a2ff4693939d061368949cd717b8033b6facba82df26b31a1a\r\na4c15afd6cb79b66fce3532907e65ccd13c8140a3cb26cc334138775f7a6aebd\r\n061fdbf0c61a29d31406887a40b4f6a551600f7366a711ecce6063f61965308d\r\n937e77d2a910a1452f951d2de6f614a6219e707c40b6789ccf31cac0d82868cc\r\n9141e25b93d315843399a757cddb63af55bdbdd4094fba4a6b2bbea89bf9ecf9\r\nb724ca474c2bca77573e071524bd5500f0355c8b6b8bb432dcc2d8664ed2d073\r\n6ce41ee43a5d5f773203cfcf810c0208246f0b27505d49b270288751a747f5a3\r\n8548600b4e461580fe32fea6c1e233a5862483ca9a617d79fdea001ebf5556cc\r\n8df615fa33dcd7aa81adc640ac42a6a9a4a2bebbb5308f1d8a35afa169e99229\r\n186cd8d9998d6c4e2d12a1370056ba910a6f8a2176c8b0c9362a868830fcfb07\r\n071d3ad980ea77a9041c580015b2796d3d5d471c2fc1039c8f381501efb3cda0\r\n04241bc4ce9cece5644cd7f8f86ede7def5cb6122b2f3b5760c2c3556da34a7d\r\n2b725322f9a019b0106a084694c18fbb8604cf64c65182153c4d67ff3adf4e48\r\n2b307f11ae418931674156425c47ff1c0645fb0b160290cd358599708ff62668\r\nSHA256\r\nBTMOB\r\nRAT\r\nhttps://cyble.com/blog/btmob-rat-newly-discovered-android-malware/\r\nPage 18 of 19\n\nSource: https://cyble.com/blog/btmob-rat-newly-discovered-android-malware/\r\nhttps://cyble.com/blog/btmob-rat-newly-discovered-android-malware/\r\nPage 19 of 19",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia"
	],
	"origins": [
		"web"
	],
	"references": [
		"https://cyble.com/blog/btmob-rat-newly-discovered-android-malware/"
	],
	"report_names": [
		"btmob-rat-newly-discovered-android-malware"
	],
	"threat_actors": [],
	"ts_created_at": 1775434640,
	"ts_updated_at": 1775826786,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/7231b9ee4606a747ce58b8e0f3bfd2ae23aad213.pdf",
		"text": "https://archive.orkl.eu/7231b9ee4606a747ce58b8e0f3bfd2ae23aad213.txt",
		"img": "https://archive.orkl.eu/7231b9ee4606a747ce58b8e0f3bfd2ae23aad213.jpg"
	}
}