Btmob RAT: A New Evolution of Android Malware Targets Users via Phishing Sites

A newly discovered Android malware, Btmob RAT, has been identified as a major threat to mobile users. The malware evolved from an earlier strain, SpySolr, and carries multiple advanced capabilities to target its victims. Leveraging phishing sites as its primary distribution method, Btmob RAT exploits Android's Accessibility Service to steal credentials, take control of devices remotely, and perform a range of malicious actions. The malware also shares several similarities with other Android threats like Crax RAT and has raised concerns among security researchers. Btmob RAT's Evolution and Capabilities [caption id="attachment_100878" align="alignnone" width="1003"] BTMOB RAT announcement on the SpySolr Telegram Channel (Source: Cyble)[/caption] Btmob RAT is part of a growing trend in sophisticated Android malware targeting mobile users. Discovered by Cyble Research and Intelligence Labs (CRIL) on January 31, 2025, and reported today, Btmob RAT is actively spreading through phishing sites, particularly those impersonating popular streaming platforms such as iNat TV and fake cryptocurrency mining websites. The malware is designed to exploit Android's Accessibility Services to initiate a range of malicious activities, including remote control, credential theft, data exfiltration, and even device unlocking. What makes Btmob RAT particularly interesting is its seamless integration with WebSocket-based command and control (C&C) communication. This allows the malware to execute commands in real-time, facilitating the theft of sensitive data and providing attackers with control over infected devices. How Btmob RAT Spreads Phishing sites have been identified as the primary distribution method for Btmob RAT. On January 31, Cyble analyzed an infected APK file named lnat-tv-pro.apk that was being distributed through a phishing site posing as iNat TV, an online streaming platform based in Turkey. The malware was flagged by SpySolr malware detection, which pointed to its connection to Crax RAT and its creator, a cybercriminal known as EVLF. According to Cyble’s research, the malware sample downloaded from the phishing site connected to a WebSocket server at hxxp://server[.]yaarsa.com/con, revealing that it was running the latest version, BT-v2.5. This connection provided real-time control to the attacker, enabling actions such as screen sharing, keylogging, and data injection. The threat actor behind this malware is actively promoting Btmob RAT through Telegram, offering paid licenses and continuous updates for $5,000 with an additional $300 per month for ongoing support. How Btmob RAT Operates Once Btmob RAT is installed on a victim’s device, it prompts the user to enable Accessibility Services. Once granted, the malware exploits this access to automate a variety of harmful actions. The WebSocket connection facilitates bidirectional communication between the infected device and the C&C server, allowing the malware to execute various commands and exfiltrate sensitive data. The malware can also execute commands such as: Keylogging: Capturing typed input from the user. Credential Theft: Injecting fake login pages into legitimate apps and capturing user-entered data. Live Screen Sharing: Enabling attackers to view and control the device's screen remotely. File Management: Downloading, deleting, and manipulating files on the infected device. Audio Recording: Accessing microphone data to record conversations. Additionally, Btmob RAT can bypass security features, including device locks, and remotely unlock devices by simulating password or PIN inputs using Accessibility Services. A Threat Actor with a Persistent Focus: EVLF and Btmob RAT's Future The cybercriminal known as EVLF is an active participant in the distribution of Btmob RAT and other malicious tools. Through Telegram, EVLF is continuously updating the Btmob RAT to enhance its functionality and evade detection. The malware's ability to receive 16 different commands from its C&C server demonstrates a high level of flexibility and persistence. These commands enable the attacker to execute a range of malicious activities, from stealing contact lists and SMS messages to manipulating device audio settings. The malware’s design and the involvement of EVLF indicate that Btmob RAT is not only a sophisticated tool but also a persistent threat. This ongoing evolution, driven by regular updates and the addition of new features, ensures that Btmob RAT will remain a matter concern for mobile device security. Btmob RAT Technical Details The technical workings of Btmob RAT involve several layers of control and exfiltration. When the malware is installed, it requests the user to grant Accessibility Service permissions. Once this permission is granted, the malware proceeds to manage the device’s operations, including granting itself additional permissions without user intervention. It then connects to a WebSocket server to initiate commands and receive updates. Command Types: The malware can receive five types of responses from the C&C server, including commands to execute actions, stop activities, or establish new connections. Data Exfiltration: It transmits various device details back to the C&C server, including the device name, OS version, battery status, and installed applications. WebView Injection: The malware injects fake login pages into apps, steals user-entered credentials, and sends them to the server for further exploitation. The screen and ject commands further enhance Btmob RAT's capabilities. The screen command enables live screen sharing, allowing attackers to view the victim’s device in real-time. The ject command handles HTML injections, allowing the malware to display phishing pages that capture sensitive data such as passwords and credit card details. Recommendation and Mitigation Strategies Given the sophistication of Btmob RAT, Android users need to remain vigilant and adopt better cybersecurity measures. Here are several key recommendations to reduce the risk of infection: Avoid Phishing Sites: Users should exercise caution when clicking on links received via email or SMS. Ensure the URL is legitimate before downloading any files or apps. Enable Google Play Protect: Always ensure that Google Play Protect is enabled on Android devices to block potentially harmful apps. Use Antivirus Software: Install reputable antivirus software to detect and remove Android malware like Btmob RAT. Regularly Update Devices: Keeping Android devices up-to-date ensures that security vulnerabilities are patched promptly, reducing the risk of exploitation. Enable Multi-factor Authentication (MFA): Always enable MFA for accounts where possible to add an extra layer of protection. Conclusion The Btmob RAT is a serious and evolving threat to Android users. Building on the legacy of SpySolr and other malware like Crax RAT, this Android malware leverages advanced techniques to exploit Accessibility Services, steal sensitive data, and control devices remotely. As the threat actor behind Btmob RAT, EVLF, continues to update and promote the malware, users must take proactive steps to protect their devices and personal information.