BTMOB RAT is an Android remote access trojan that ESET researchers have identified as a growing threat well beyond its origins in Brazil and Latin America. Unlike typical Android malware that targets a single attack vector, BTMOB RAT combines device takeover, financial fraud, data theft, and a built-in payload builder that lets criminals launch targeted phishing campaigns without writing any code.

The threat gained public attention through ANY.RUN’s malware sandbox analysis in February 2025 and a detailed technical breakdown by Cyble. Since then, new variants have continued appearing at a rapid pace, reflecting active development and a commercial distribution model that keeps the barrier to entry low for attackers.
What Is BTMOB RAT
BTMOB RAT is a remote access trojan designed specifically for Android devices. It evolved from the SpySolr malware family and stands apart from standard banking trojans by offering a much wider set of capabilities. Where a banking trojan focuses on stealing financial credentials or intercepting transactions, BTMOB RAT gives an attacker comprehensive control over the infected device.
Its core capabilities include:
- Stealing sensitive data stored on the device
- Intercepting financial transactions in real time
- Performing overlay attacks on banking and payment apps, including Alipay
- Capturing screenshots and recording device activity
- Taking full remote control of the device
- Downloading and executing additional malicious modules
- Disabling Google Play Protect
- Hiding the app icon to block easy removal
- Preventing sleep mode to maintain persistent access
ESET detects the primary version as MSIL/BtmobRat. Related Android variants trigger detection names including Android/Spy.Agent.EIJ, Android/Spy.Agent.EIK, Android/Spy.Spysolr.A, and Android/TrojanDropper.Agent.NES.
How BTMOB RAT Spreads on Android
BTMOB RAT reaches victims through social engineering. Operators direct targets to phishing websites that impersonate streaming services, cryptocurrency mining platforms, fake WhatsApp mods, or government agency portals. From those phishing sites, victims land on pages that mimic the Google Play Store interface and receive a prompt to download a malicious APK.
Security researchers @johnk3r and @Merlax_ documented campaigns where operators impersonated Argentina’s tax and customs authorities, showing how BTMOB buyers tailor lures for specific regions and demographics. Samples captured in ANY.RUN’s sandbox include files disguised as SnakeVPN, FasterVPN, and ClearVPN, confirming the malware also travels under the cover of VPN apps.
BTMOB’s payload builder makes this level of customization accessible to anyone with a purchase. The builder lets operators select which permissions the APK requests on installation, configure what actions the app takes after installation, and adapt phishing lures to impersonate the brand or agency most likely to succeed in a given country. No coding knowledge is required.
PromptSpy, another recent Android threat, uses generative AI to craft attack strings at runtime. BTMOB RAT takes a different approach and puts the customization power directly in the hands of the operator before deployment, then generates new payloads on demand.
What BTMOB RAT Does After Installation
Once the victim installs the malicious APK, BTMOB RAT requests access to Android Accessibility Services. Rather than waiting for the user to tap Allow, it uses Input Injection to automatically press the Allow button on its own permission dialogs, granting itself elevated access without genuine user consent.
Accessibility Services access is the turning point. With it, the malware can:
- Read the screen and capture content from any open app
- Inject taps and gestures to interact with apps on behalf of the user
- Intercept and suppress notifications, including two-factor authentication codes
- Overlay transparent windows on top of banking apps to silently capture login credentials in real time
BTMOB stores its configuration in Android’s SharedPreferences storage as an XML file. This configuration file defines which capabilities the variant activates, which command and control (C&C) server it contacts, and what data it collects. All commands and stolen data travel through encrypted channels to attacker-controlled servers, which complicates traffic analysis.
The malware also implements a Prevent Application Removal mechanism. It monitors Android Settings and intercepts any attempt to uninstall it, blocking its own removal without special intervention from the user.
BTMOB RAT as a Malware-as-a-Service Platform
BTMOB operates openly as a malware-as-a-service (MaaS) platform. A promotional page on the surface web funnels buyers to a Telegram operator, and accounts on X and Instagram actively advertise the tool. Sales take place through private Telegram channels.
The pricing is commercial grade:
- Monthly subscription: $700
- Lifetime license: $5,000 (plus a monthly support fee)
Cyble’s February 2025 research recorded roughly 15 BTMOB 2.5 samples within approximately two weeks in early 2025, a pace that reflects active development rather than a static release.
In January 2026, a dark web forum claimed to offer BTMOB-related files for free. The forum went offline before researchers could recover the payloads, but the episode points to a familiar pattern with commercial malware: access rarely stays contained. Resale, barter, and sharing inside closed groups can carry the tool into the hands of less sophisticated actors well beyond the original customer base.
The AMOS macOS Stealer followed a similar commercial distribution path and expanded into secondary markets the same way. Like BTMOB, it moved through Telegram channels and reached users outside its initial focus region as its buyer network grew.
Because each buyer generates new payloads rapidly, defenders should expect high sample turnover. Static detection rules struggle to keep pace with variants the builder produces in minutes.
Detection Challenges and Current Signatures
ESET continues tracking BTMOB RAT and updating static detection rules. However, the rapid payload generation capability built into the MaaS platform means single-layered defenses often fall behind new variants.
Current ESET detection names cover a broad range of the family:
- MSIL/BtmobRat
- Android/Agent.FQK
- Android/Spy.Agent.EIJ
- Android/Spy.Agent.EIK
- Android/Spy.Spysolr.A
- Android/TrojanDropper.Agent.NES
- Android/TrojanDropper.Agent.NDK
- Android/Spy.Agent.EED
- Android/Spy.Agent.EUG
- Android/Spy.Agent.EWN
Organizations running mobile device management solutions should treat any alert on these signatures as high priority, given BTMOB’s capability to access corporate email, VPN credentials, and authentication apps on employee devices.
How to Protect Your Android Device from BTMOB RAT
Install apps only from the official Google Play Store: BTMOB RAT depends entirely on fake app stores to deliver its payload. Staying on the official repository and keeping Google Play Protect active removes the primary delivery vector.
Treat all unsolicited download links as suspicious: Phishing lures arrive through messaging apps, email, social media, and targeted ads. BTMOB operators invest in localized, convincing lures, so skepticism toward any unexpected link matters regardless of how legitimate the source appears.
Audit Accessibility Services permissions immediately: Open Settings, navigate to Accessibility, and revoke access for any app that does not genuinely require it. No streaming service, VPN, or crypto platform needs Accessibility access to function. Any app demanding it during installation is a strong warning sign.
Use mobile security software: ESET, Cyble, and other vendors actively track BTMOB variants and push detection updates regularly. Running a reputable Android security app provides an additional detection layer.
Keep Android and all apps updated: Security patches close vulnerabilities that malware exploits to escalate privileges and establish persistent footholds.
Watch for behavioral signs: Unexplained battery drain, unexpected mobile data usage, apps you did not install, and any app requesting Accessibility Services without a clear reason all warrant immediate investigation.
Frequently Asked Questions
What is BTMOB RAT?
BTMOB RAT is an Android remote access trojan distributed as a malware-as-a-service platform. It gives attackers full remote control over infected devices, with capabilities including data theft, financial transaction interception, overlay attacks on banking apps, screenshot capture, and persistent device access that survives standard removal attempts.
How does BTMOB RAT infect Android devices?
BTMOB RAT spreads through phishing websites that pose as streaming services, VPN apps, government portals, or crypto platforms. Victims download a malicious APK from a fake Google Play Store page. After installation, the malware requests Accessibility Services access and uses Input Injection to approve its own permission prompts without user action.
Is BTMOB RAT only active in Brazil?
BTMOB RAT originated with the heaviest activity in Brazil and Latin America, but its MaaS builder lets any buyer generate localized phishing lures for any country. Active campaigns targeting Argentina and Morocco confirm the threat has already expanded well beyond its origins.
How much does BTMOB RAT cost for cybercriminals?
BTMOB RAT sells for $700 per month or $5,000 for a lifetime license, with transactions handled through private Telegram channels. A dark web forum in January 2026 also claimed to offer BTMOB files for free, though researchers could not verify the payload before the forum went offline.
How do I know if BTMOB RAT is on my Android device?
Potential signs include apps you did not install, unusual battery drain, unexpected mobile data usage, and prompts requesting Accessibility Services access with no plausible justification. Scanning with an updated mobile security app such as ESET Mobile Security can detect known BTMOB variants.
How do I remove BTMOB RAT from Android?
Boot the device into Safe Mode to disable third-party apps, then go to Settings > Apps and look for entries you do not recognize or that resist standard uninstallation. Revoke all Accessibility Services permissions and scan the device with an updated security tool. If standard removal fails, a factory reset is the most reliable option to fully eliminate the malware.
