Full Report
The malware pairs remote access capabilities with ready-made campaign tools, lowering the barrier for full device compromise
Analysis Summary
# Tool/Technique: BTMOB (aka BtmobRat)
## Overview
BTMOB is a sophisticated Android Remote Access Trojan (RAT) marketed under the Malware-as-a-Service (MaaS) model. It evolved from the **SpySolr** malware family. Unlike standard banking trojans that focus solely on financial theft, BTMOB provides a comprehensive suite of surveillance and remote control capabilities, lowering the barrier for entry for less technical threat actors via a "ready-made" APK builder interface.
## Technical Details
- **Type:** Malware family (Remote Access Trojan / Spyware)
- **Platform:** Android (Primary payloads); Windows/MSIL (Builder/C2 components)
- **Capabilities:** Data exfiltration, screenshot capture, activity recording, remote device takeover, and automated phishing campaign generation.
- **First Seen:** February 2025 (v2.5)
## MITRE ATT&CK Mapping
- **[TA0031 - Initial Access]**
- [T1474 - Supply Chain Compromise: External App Store]
- [T1475 - Drive-by Compromise]
- **[TA0030 - Persistence]**
- [T1624.001 - Event-Triggered Execution: Accessibility Service]
- **[TA0032 - Privilege Escalation]**
- [T1548 - Abuse Elevation Control Mechanism]
- **[TA0035 - Collection]**
- [T1513 - Screen Capture]
- [T1430 - Location Scanning]
- [T1636 - SMS/Contact Exfiltration]
- **[TA0037 - Command and Control]**
- [T1437 - Standard Non-Application Layer Protocol]
## Functionality
### Core Capabilities
- **Remote Access (RAT):** Provides adversaries with full remote control over the infected Android device.
- **Data Theft:** Exfiltrates sensitive information, including contacts, SMS messages, and call logs.
- **Surveillance:** Captures real-time screenshots and records device activity/audio.
- **Accessibility Abuse:** Exploits Android Accessibility Services to automate clicks, grant permissions, and intercept UI interactions without user consent.
### Advanced Features
- **APK Builder Interface:** A GUI-based tool allowing buyers to generate custom malicious APKs, change icons, and alter app names without writing code.
- **MaaS Infrastructure:** Integrated support and sales pipeline via Telegram and social media (X, Instagram).
- **Localized Lures:** Ability to rapidly switch campaign themes (e.g., impersonating Argentine tax authorities or crypto platforms).
## Indicators of Compromise
### File Hashes (SHA256)
- `D55057CD9110D12A192281356F06B94F342B9FEBB305CF0A5898A7E6AF40758F`
- `676CB2D0A60403AFC06CEA1B572CB7261F706365FAC65621B5A4907893E7AC0D`
- `75DD4FB011ED598374A46FC0D9C0D1D64A298341C34AFC83A56A6983CFD27764`
- `702261BA38B57ECC3A5407FED28B2F0611A74C2EC0C116AEA4F9E6DEF0899AED`
- `244D81FD9908CD17815501D4EDADEB1BAF1C421AA25D8BD61C7CB481C939540E`
### Behavioral Indicators
- Requesting "Accessibility Service" permissions immediately upon launch.
- Creating hidden or masqueraded system processes.
- Communicating with known Telegram bot APIs for command exfiltration.
## Associated Threat Actors
- Distributed by various individual affiliates under a MaaS license.
- Identified campaigns targeting **Brazil** and **Argentina** (impersonating tax/government agencies).
## Detection Methods
- **Signature-based detection:**
- ESET: `MSIL/BtmobRat`, `Android/Spy.Agent.EED`, `Android/Spy.Agent.EIJ`, `Android/Spy.Spysolr.A`.
- **Behavioral detection:** Monitoring for apps requesting high-privilege accessibility permissions alongside network traffic to non-standard ports or known encrypted messaging C2s.
## Mitigation Strategies
- **Prevention:** Enforce Mobile Device Management (MDM) policies to prevent "Sideloading" and the installation of apps from "Unknown Sources."
- **Hardening:** Educate users on the risks of clicking links in SMS (Smishing) or social media direct messages.
- **Audit:** Regularly review Accessibility Service permissions in Android settings; revoke access for any unrecognized applications.
## Related Tools/Techniques
- **SpySolr:** The predecessor codebase for BTMOB.
- **Hook / Ermac:** Similar Android-based MaaS RATs/Banking trojans that utilize accessibility abuse.