Last seven days
- First activity
- Jul 14, 2026
- Last activity
- Jul 14, 2026
- Feed role
- Distribution
- Host form
- 0 IP / 1 hostnames
BTMOB is an Android remote access trojan (RAT) and malware-as-a-service offering first identified in February 2025 and described as derived from the SpySolr malware family.
Profile source: Mallory opens in a new tabBTMOB
BTMOB is an Android remote access trojan (RAT) and malware-as-a-service offering first identified in February 2025 and described as derived from the SpySolr malware family. It is marketed as a no-code or low-skill platform that lets operators generate customized malicious APKs and phishing lures, lowering the barrier to entry for cybercriminals. Reporting indicates it has been promoted via an open-web portal, Telegram, and social media, with pricing described in different reports as a lifetime license around $5,000 plus support fees, and in one report with alternative subscription and source-code pricing.
BTMOB is primarily distributed through phishing campaigns and fake Android app stores or counterfeit Google Play-style pages. Observed lures have impersonated streaming and IPTV services, cryptocurrency-related services, GPT Trade, and Argentine public-sector or tax-themed entities such as AFIP. In May 2026, campaigns distributed BTMOB through apps presented as IPTV or streaming platforms offering World Cup broadcasts. It has also been observed as a payload dropped in other Android malware campaigns, including newer BeatBanker variants.
Once installed, BTMOB abuses Android Accessibility Services to obtain elevated privileges and silently grant itself additional permissions. Reported capabilities include remote control of the device, unlocking devices, executing commands, reading messages, displaying victim information, accessing cameras, capturing screenshots, screen or activity recording, keylogging, GPS tracking, file and data exfiltration, and credential theft via HTML injections or overlay-style phishing when targeted apps are opened. Later reporting also noted capture of Alipay PINs. Researchers describe it as enabling full-device takeover rather than only banking fraud.
BTMOB activity has been observed particularly in Brazil and broader Latin America, but its localization and builder features make it adaptable to other regions. It has been linked in reporting to campaigns targeting banking and payment users and to MaaS-style commercialization rather than a single clearly attributed threat actor. One report states ESET believes BTMOB is the successor to CraxsRAT, CypherRAT, and SpySolr, while multiple other reports specifically describe it as evolved from SpySolr.
Known detection names mentioned in the content include MSIL/BtmobRat, Android/Spy.Agent.EED, Android/Spy.Agent.EIJ, Android/Spy.Agent.EIK, Android/Agent.FQK, Android/TrojanDropper.Agent.NES, Android/TrojanDropper.Agent.NDK, Android/Spy.Spysolr.A, Android/Spy.Agent.EUG, Android/Spy.Agent.EWN, Android/Spy.Agent.FFE, Android/Spy.Agent.FFL, and Android/TrojanDropper.Agent.NBO. Reported indicators include the domain arbsniper.com; IPs 178.156.177.192, 191.101.131.250, and 195.160.221.203; and sample SHA-256 hashes 58AC130A8EBB09E37592AC69841483EDC5695D1545B1F04F23D5B760AC17CD94 and 0A542751724A432A8448324613E0CE10393E41739A1800CBB7D5A2C648FCDC35. Reporting also notes BTMOB-related files briefly appeared on a dark web forum in January 2026, raising concerns about leakage, resale, and wider secondary-market adoption.
Samples
Reported operators
The disclosure coincides with a report from ESET about BTMOB, an Android remote access trojan (RAT) that first emerged in February 2025 with capabilities to unlock devices, capture screenshots, log keystrokes, automate credential theft through HTML injections when certain apps are opened, and enable remote control.
Besides PhantomCard, "Go1ano developer" also claims to be the "trusted partner" of BTMOB, GhostSpy spyware families in Brazil.
MITRE ATT&CK
Reporting
Security researchers have identified BTMOB, an Android remote access trojan (RAT) derived from the SpySolr malware family, as an emerging malware-as-a-service platform that enables operators to remotely monitor, manipulate, and control compromised devices with minimal technical expertise.
Related Articles: ... BTMOB Android malware service generates custom phishing payloads
Intel 471 highlighted activity involving BTMOB, an Android remote access trojan offered through a malware-as-a-service model. The malware was promoted as compatible with Android versions 12 through 16 and included capabilities such as reading messages, executing commands, displaying victim information and accessing device cameras. In May 2026, a campaign was identified distributing BTMOB through applications presented as IPTV or streaming platforms offering access to World Cup broadcasts.
BTMOB sells Android full-device takeover as a kit, no coding needed. It steals data, records screens, and hands attackers remote control for $5,000 lifetime.
The RAT — dubbed BTMOB and first described by researchers at Cyble last year as an offshoot of SpySolr malware — is notable for its potential to do significant damage via a range of capabilities that extend beyond the usual RAT behavior.
The disclosure coincides with a report from ESET about BTMOB, an Android remote access trojan (RAT) that first emerged in February 2025 with capabilities to unlock devices, capture screenshots, log keystrokes, automate credential theft through HTML injections when certain apps are opened, and enable remote control.
BTMOB is an Android remote access trojan (RAT) that, while not detected in high volumes, presents a significant threat due to its capabilities and ease of use. First identified in February 2025, BTMOB evolved from the SpySolr malware.
New Android malware dubbed BTMOB is arming even low-skilled attackers with full remote control over infected phones by combining a powerful RAT engine with a no-code campaign builder toolkit. The threat, first seen in 2025, is now evolving rapidly through a malware-as-a-service (MaaS) model and active phishing campaigns worldwide.
Derp wouldn't exist without the work these projects do for the security community. We rely on their data sources to improve the quality and depth of what we publish. Thank you, we're genuinely grateful.