A stealthy RAT burrowing deep into Android devices
BTMOB is an Android remote access trojan (RAT) that evolved from the SpySolr malware family. It is distributed via phishing campaigns and fake app stores impersonating streaming services, cryptocurrency platforms, and government agencies. The malware abuses Android Accessibility Services to gain elevated permissions, enabling it to exfiltrate sensitive data, capture screenshots, record device activity, and establish remote control of infected devices. BTMOB is marketed as malware-as-a-service with an APK builder interface allowing rapid payload creation without coding skills. Its phishing lures are regionally customized, including campaigns targeting Argentine tax authorities, indicating a global reach. There is no known patch or official remediation, and no known exploits in the wild have been reported. The threat is assessed as medium severity based on its capabilities and distribution methods.
AI Analysis
Technical Summary
BTMOB is a stealthy Android RAT derived from SpySolr malware that combines phishing-led delivery with an APK builder interface for easy payload generation. It is distributed through fake app stores impersonating legitimate services and abuses Android Accessibility Services to gain elevated permissions. This enables attackers to remotely control devices, exfiltrate data, capture screenshots, and record device activity. Marketed as malware-as-a-service with a $5,000 lifetime license, BTMOB supports customizable phishing lures tailored to specific regions, including Latin America. The malware represents a significant evolution beyond traditional banking trojans, with a rapidly evolving threat profile and global targeting. No official patches or vendor advisories are available, and no known exploits in the wild have been documented.
Potential Impact
BTMOB enables adversaries to gain persistent remote access to Android devices, allowing them to exfiltrate sensitive information, capture screenshots, record user activity, and control the device remotely. Its abuse of Accessibility Services allows it to bypass typical permission restrictions, increasing its stealth and effectiveness. The malware's distribution via phishing and fake app stores increases the risk of infection among users who download apps from unofficial sources. The availability of an APK builder lowers the technical barrier for attackers, potentially increasing the volume of attacks. Regionally customized phishing campaigns, such as those targeting Argentine tax authorities, demonstrate its adaptability and targeted impact.
Mitigation Recommendations
No official patch or vendor advisory is available for BTMOB. Mitigation should focus on user education to avoid phishing attempts and downloading apps only from official app stores. Monitoring for suspicious use of Accessibility Services on Android devices may help detect infections. Since this is malware-as-a-service with customizable payloads, organizations should implement mobile threat defense solutions capable of detecting RAT behaviors. Regularly updating Android OS and security software is recommended, although no direct patch for this malware exists. Incident response teams should be prepared to investigate and remediate infections based on behavioral indicators.
Indicators of Compromise
- ip: 191.96.225.241
- ip: 191.96.79.41
- ip: 191.96.79.133
- ip: 200.9.155.153
- ip: 191.96.224.87
- ip: 191.96.78.172
- ip: 195.160.221.203
- hash: 25e3c200de4868d754a3b4f4f09ec2bf
- hash: 0a542751724a432a8448324613e0ce10393e41739a1800cbb7d5a2c648fcdc35
- ip: 191.96.79.179
- domain: arbsniper.com
- ip: 191.101.131.250
- ip: 191.96.78.28
- hash: aa56f350882ce63429c6626567487b041f06168bb60f4fc371a262eabadfa660
- hash: 0628ad6d1fd836b13b22e75fa169502d8ce78b7ad20f0261eb5151da98437bca
- hash: 0f22e6ed962180838c03cb70af8bd66a
- hash: 1011ac97559249522143d32338b08036
- hash: 26ce4d8ea691bb54864c3455ed6b7620
- hash: 3673d505d3050503be6f30eb235afcc4
- hash: 38fe4db3b191c2ccb3cd71a36a38b9d6
- hash: 516e0f3e44924d0a5595b4e28728d291
- hash: 53d007e850871473321f3a4f68ab3615
- hash: 54ce4a5145402b10b4660312ffe8385f
- hash: 54d37f09251cbe283f42f64964083ca8
- hash: 5652ea26835619fdd6b3609326ba9ea0
- hash: 61c30bd7eb4914eb9419661af821944c
- hash: 7881c012c247d29dbf43b05c8b042cc1
- hash: 7db5fb56b60db0077b86e00eeff37394
- hash: 7e2ab284b1068420178f0ced7895c064
- hash: 7f493c8b8c3a1117c90e1f679c782d42
- hash: 9989b5cf30f42f3ac013b5fb4c898b07
- hash: a4bd7b38313d8cd94e76a48b83683f57
- hash: a7a5c56f3549a65fe18ed356c56c595a
- hash: bb02daf9c37f7cd0df5a2ca0c0c1790f
- hash: bfd7d041bdfb28b62921b64af068ccab
- hash: c09e71fca97d609f48b0de1ffd669454
- hash: cd882f00cb63cfb382a4fa6013705ca6
- hash: d15a9b899b55b379933871ffb303613a
- hash: d46ba296b0a3894b04597a7c4cd731c7
- hash: dbd8934e2e80890a7067097079a40182
- hash: 015259747ddb8f227fe56a6d12b0fc7f0dadd20e
- hash: 0198883f685b52ff5adf0f7d2e64adbbf3c9c9da
- hash: 1cb0d3de945cec63dc0cd00cb4404d48079e565b
- hash: 2de67a7c23d3b96b3dbec9a81cf3e01ebefdeee9
- hash: 3544b924c689b5d93b9452ad4e53bdfe86aef3c3
- hash: 4038a93e767eac600e344ad9707a1c4643f0cb4b
- hash: 5798d4eeb49cb3da09e2236ed3606332412e93e9
- hash: 5c9d9649b439b86cf18987865b32dab228ace037
- hash: 5cf24613f0c98f8bf7f90a8da6e028c62a2d0a76
- hash: 606c4427da725b5dd7d399cb3177009e66432cc7
- hash: 6409d1583a15a906ff76556ae0cb8a3611145ec3
- hash: 6cc79ccdcf6a1fd08d69479f830f85a258152abf
- hash: 72b086db438d2cf2574b3ecd62c022fea7b85c36
- hash: 79e9925c155be31a917aa595ca1a41dd46486259
- hash: 7ad568aa207f5bf58b75bbc388c2401b63169eb2
- hash: 8491a0c251ffd9cdbbd9d6bebbe2cb3a430f16e2
- hash: 8763e26ca6e9db481f49c4f8c15340e3093cae40
- hash: 8954f531421de2a8e9faa1857924a91963c2ce62
- hash: 91d17bf2241eb10deb245c9ce8eda6e39a18b3d1
- hash: 96f3b957f46d4ccea82b9d2ee0f5bbdc3d97d01b
- hash: 99d0bce258388ccce6ead0e4a36d7986c9c431db
- hash: a154ccae7aec83a3e85edc67c91ff9607fb27d8a
- hash: a7f68bd1566f67bbddb1a2a10ab093aa1d9366b5
- hash: e35893fabebb69483640687d6c43fab7919d46ed
- hash: ef2f51aa47fdc2372df6d561a3b881da8e518d6c
- hash: fda4e742ead8a0492c2d7cb61f256f1f400af06f
- hash: 02a52c4cc11748d44c9b49d508ee4e46425661981fa1406f30ec0830cb69ddc5
- hash: 140a7f995b0336942691a2e93e2017fd575267c017c7d0728d69169306f91963
- hash: 168f50bf9a87099094ef410e3ac33e676a6a8740a5437cd09e7b63d73df8431a
- hash: 1a60cb5f7e2fb7c09fc3dc8459108b26ac98ee73131f37a28cfdad5fc75b7a7d
- hash: 244d81fd9908cd17815501d4edadeb1baf1c421aa25d8bd61c7cb481c939540e
- hash: 2525d1e427a9983b0b4ca0906a4b44ffb9814b23d53fd8a2e3ab6512b027c733
- hash: 26a2268281e8043125ef72b92f8980b42912048753d56894bc378fb54c7c188a
- hash: 512ede9f2fa794907999f3c26165557fdfd383b7aad71ba022ce2c8ba6c0019d
- hash: 58ac130a8ebb09e37592ac69841483edc5695d1545b1f04f23d5b760ac17cd94
- hash: 5a4e86bbcf0ebc455d2995db225d9ad682e9b37b6bad472a604a462099d988bd
- hash: 5aaaf972c8bf39a98f2748e526de3cc0370ba831997d7d9765cdaba599645c0d
- hash: 6101d1e1811db052f869f7eb3402dad28da7e92103d4a44ee43f95846a075012
- hash: 676cb2d0a60403afc06cea1b572cb7261f706365fac65621b5a4907893e7ac0d
- hash: 6844ce1539014571360495c6fb50965e813c2721663bdd40d577d9e5163773c6
- hash: 6ae94ce710016d86ed7457236deef2c4c51478587f3609b6e827a348828b3931
- hash: 6bba64fa9e8a7b11cb2476cd071de08986db44b0783eff211c68fa5594ef8143
- hash: 6f9832ebb4c3054bee4a6ce5ccb69c00e2020053e1308353343097e6a4041109
- hash: 702261ba38b57ecc3a5407fed28b2f0611a74c2ec0c116aea4f9e6def0899aed
- hash: 752c1cfe783ed343e470ab95a4843a23872cdc98b7d3ed5633dd6c881c071a14
- hash: 75dd4fb011ed598374a46fc0d9c0d1d64a298341c34afc83a56a6983cfd27764
- hash: 7ac974899e8e05aaacd417577c97e382d5e8c5f7f4a85632cffb47ec2f6ae4e0
- hash: 8f09274e808e0063d51f34cac82a5770b3df30c792e426da2f6a80657f27affc
- hash: 97a0497de585d3be6ec75064ab3bd0979cd85561193c1f0669ccf4db31330687
- hash: 998a7ed1572ad9dc11375bc25294e1954e606b7cff9fabc5c120713e597cd274
- hash: a1e457c52eab430c20d48f2ac476e080386313f16efb135a0471902cf68ce475
- hash: a764d73795abe47ae640ba09999a18c47b5340e5ecc7b897afebf34f3f37638f
- hash: a892f1ef2e530d67bf948a48c734da3f27718eb8b883ca0b686ddb0a81071731
- hash: c6199e175fb988cbbeacdf0f5acdf9ed83f5bdaae5c95b7a6c27ee72cd11b0b1
- hash: c99139b0053c4c698ea0246d26d747f2a984c7aba4613da818ecd9f97899ef3a
- hash: d55057cd9110d12a192281356f06b94f342b9febb305cf0a5898a7e6af40758f
- hash: ddce0219923d152b8facd303f058a6286cf1f6924992b9fb9f5bf4d96436cc39
- hash: e5a9fdff900dd502e8f3dce52d2d1b69aa9afafb5094a28f9037e8770db0e63b
- hash: f76b13040c634f82a8332ff9443d84c89a5bced51ae9adad7fd15c05fadb4324
- hash: 1c085c7663518f499396cbe95b5613ca8e46a011
- hash: 434e9e0e6ccbf20172f31aab63586ea7
- hash: 589ac68824823649437f4ca3e03e94f0
- hash: 6377be88ba0ef67fb6ffab49c32ccfad
- hash: 94cd8ba7c79fa2962b505fcef5e25601
- hash: c4ed9c1043b924f1739f57a66731336beb8378c4
- hash: e1e5af28ab858893c9baec1e0d7f2f199f97f56b
- hash: ebfade04b81e5ac679ef7e6beff7b850e3ff6ded
- hash: f20ba894c80e68c9324e211565319523
- hash: 47ebf1f0ce0f93794b5db80e2a367fcb00fc9bff
A stealthy RAT burrowing deep into Android devices
Description
BTMOB is an Android remote access trojan (RAT) that evolved from the SpySolr malware family. It is distributed via phishing campaigns and fake app stores impersonating streaming services, cryptocurrency platforms, and government agencies. The malware abuses Android Accessibility Services to gain elevated permissions, enabling it to exfiltrate sensitive data, capture screenshots, record device activity, and establish remote control of infected devices. BTMOB is marketed as malware-as-a-service with an APK builder interface allowing rapid payload creation without coding skills. Its phishing lures are regionally customized, including campaigns targeting Argentine tax authorities, indicating a global reach. There is no known patch or official remediation, and no known exploits in the wild have been reported. The threat is assessed as medium severity based on its capabilities and distribution methods.
AI-Powered Analysis
Machine-generated threat intelligence
Technical Analysis
BTMOB is a stealthy Android RAT derived from SpySolr malware that combines phishing-led delivery with an APK builder interface for easy payload generation. It is distributed through fake app stores impersonating legitimate services and abuses Android Accessibility Services to gain elevated permissions. This enables attackers to remotely control devices, exfiltrate data, capture screenshots, and record device activity. Marketed as malware-as-a-service with a $5,000 lifetime license, BTMOB supports customizable phishing lures tailored to specific regions, including Latin America. The malware represents a significant evolution beyond traditional banking trojans, with a rapidly evolving threat profile and global targeting. No official patches or vendor advisories are available, and no known exploits in the wild have been documented.
Potential Impact
BTMOB enables adversaries to gain persistent remote access to Android devices, allowing them to exfiltrate sensitive information, capture screenshots, record user activity, and control the device remotely. Its abuse of Accessibility Services allows it to bypass typical permission restrictions, increasing its stealth and effectiveness. The malware's distribution via phishing and fake app stores increases the risk of infection among users who download apps from unofficial sources. The availability of an APK builder lowers the technical barrier for attackers, potentially increasing the volume of attacks. Regionally customized phishing campaigns, such as those targeting Argentine tax authorities, demonstrate its adaptability and targeted impact.
Mitigation Recommendations
No official patch or vendor advisory is available for BTMOB. Mitigation should focus on user education to avoid phishing attempts and downloading apps only from official app stores. Monitoring for suspicious use of Accessibility Services on Android devices may help detect infections. Since this is malware-as-a-service with customizable payloads, organizations should implement mobile threat defense solutions capable of detecting RAT behaviors. Regularly updating Android OS and security software is recommended, although no direct patch for this malware exists. Incident response teams should be prepared to investigate and remediate infections based on behavioral indicators.
Technical Details
- Author
- AlienVault
- Tlp
- white
- References
- ["https://www.welivesecurity.com/en/malware/btmob-stealthy-rat-burrowing-deep-android-devices/"]
- Adversary
- null
- Pulse Id
- 6a1cc51d7c8f832f819a0a43
- Threat Score
- null
Indicators of Compromise
Ip
| Value | Description | Copy |
|---|---|---|
ip191.96.225.241 | — | |
ip191.96.79.41 | — | |
ip191.96.79.133 | — | |
ip200.9.155.153 | — | |
ip191.96.224.87 | — | |
ip191.96.78.172 | — | |
ip195.160.221.203 | — | |
ip191.96.79.179 | — | |
ip191.101.131.250 | — | |
ip191.96.78.28 | — |
Hash
| Value | Description | Copy |
|---|---|---|
hash25e3c200de4868d754a3b4f4f09ec2bf | — | |
hash0a542751724a432a8448324613e0ce10393e41739a1800cbb7d5a2c648fcdc35 | — | |
hashaa56f350882ce63429c6626567487b041f06168bb60f4fc371a262eabadfa660 | — | |
hash0628ad6d1fd836b13b22e75fa169502d8ce78b7ad20f0261eb5151da98437bca | — | |
hash0f22e6ed962180838c03cb70af8bd66a | — | |
hash1011ac97559249522143d32338b08036 | — | |
hash26ce4d8ea691bb54864c3455ed6b7620 | — | |
hash3673d505d3050503be6f30eb235afcc4 | — | |
hash38fe4db3b191c2ccb3cd71a36a38b9d6 | — | |
hash516e0f3e44924d0a5595b4e28728d291 | — | |
hash53d007e850871473321f3a4f68ab3615 | — | |
hash54ce4a5145402b10b4660312ffe8385f | — | |
hash54d37f09251cbe283f42f64964083ca8 | — | |
hash5652ea26835619fdd6b3609326ba9ea0 | — | |
hash61c30bd7eb4914eb9419661af821944c | — | |
hash7881c012c247d29dbf43b05c8b042cc1 | — | |
hash7db5fb56b60db0077b86e00eeff37394 | — | |
hash7e2ab284b1068420178f0ced7895c064 | — | |
hash7f493c8b8c3a1117c90e1f679c782d42 | — | |
hash9989b5cf30f42f3ac013b5fb4c898b07 | — | |
hasha4bd7b38313d8cd94e76a48b83683f57 | — | |
hasha7a5c56f3549a65fe18ed356c56c595a | — | |
hashbb02daf9c37f7cd0df5a2ca0c0c1790f | — | |
hashbfd7d041bdfb28b62921b64af068ccab | — | |
hashc09e71fca97d609f48b0de1ffd669454 | — | |
hashcd882f00cb63cfb382a4fa6013705ca6 | — | |
hashd15a9b899b55b379933871ffb303613a | — | |
hashd46ba296b0a3894b04597a7c4cd731c7 | — | |
hashdbd8934e2e80890a7067097079a40182 | — | |
hash015259747ddb8f227fe56a6d12b0fc7f0dadd20e | — | |
hash0198883f685b52ff5adf0f7d2e64adbbf3c9c9da | — | |
hash1cb0d3de945cec63dc0cd00cb4404d48079e565b | — | |
hash2de67a7c23d3b96b3dbec9a81cf3e01ebefdeee9 | — | |
hash3544b924c689b5d93b9452ad4e53bdfe86aef3c3 | — | |
hash4038a93e767eac600e344ad9707a1c4643f0cb4b | — | |
hash5798d4eeb49cb3da09e2236ed3606332412e93e9 | — | |
hash5c9d9649b439b86cf18987865b32dab228ace037 | — | |
hash5cf24613f0c98f8bf7f90a8da6e028c62a2d0a76 | — | |
hash606c4427da725b5dd7d399cb3177009e66432cc7 | — | |
hash6409d1583a15a906ff76556ae0cb8a3611145ec3 | — | |
hash6cc79ccdcf6a1fd08d69479f830f85a258152abf | — | |
hash72b086db438d2cf2574b3ecd62c022fea7b85c36 | — | |
hash79e9925c155be31a917aa595ca1a41dd46486259 | — | |
hash7ad568aa207f5bf58b75bbc388c2401b63169eb2 | — | |
hash8491a0c251ffd9cdbbd9d6bebbe2cb3a430f16e2 | — | |
hash8763e26ca6e9db481f49c4f8c15340e3093cae40 | — | |
hash8954f531421de2a8e9faa1857924a91963c2ce62 | — | |
hash91d17bf2241eb10deb245c9ce8eda6e39a18b3d1 | — | |
hash96f3b957f46d4ccea82b9d2ee0f5bbdc3d97d01b | — | |
hash99d0bce258388ccce6ead0e4a36d7986c9c431db | — | |
hasha154ccae7aec83a3e85edc67c91ff9607fb27d8a | — | |
hasha7f68bd1566f67bbddb1a2a10ab093aa1d9366b5 | — | |
hashe35893fabebb69483640687d6c43fab7919d46ed | — | |
hashef2f51aa47fdc2372df6d561a3b881da8e518d6c | — | |
hashfda4e742ead8a0492c2d7cb61f256f1f400af06f | — | |
hash02a52c4cc11748d44c9b49d508ee4e46425661981fa1406f30ec0830cb69ddc5 | — | |
hash140a7f995b0336942691a2e93e2017fd575267c017c7d0728d69169306f91963 | — | |
hash168f50bf9a87099094ef410e3ac33e676a6a8740a5437cd09e7b63d73df8431a | — | |
hash1a60cb5f7e2fb7c09fc3dc8459108b26ac98ee73131f37a28cfdad5fc75b7a7d | — | |
hash244d81fd9908cd17815501d4edadeb1baf1c421aa25d8bd61c7cb481c939540e | — | |
hash2525d1e427a9983b0b4ca0906a4b44ffb9814b23d53fd8a2e3ab6512b027c733 | — | |
hash26a2268281e8043125ef72b92f8980b42912048753d56894bc378fb54c7c188a | — | |
hash512ede9f2fa794907999f3c26165557fdfd383b7aad71ba022ce2c8ba6c0019d | — | |
hash58ac130a8ebb09e37592ac69841483edc5695d1545b1f04f23d5b760ac17cd94 | — | |
hash5a4e86bbcf0ebc455d2995db225d9ad682e9b37b6bad472a604a462099d988bd | — | |
hash5aaaf972c8bf39a98f2748e526de3cc0370ba831997d7d9765cdaba599645c0d | — | |
hash6101d1e1811db052f869f7eb3402dad28da7e92103d4a44ee43f95846a075012 | — | |
hash676cb2d0a60403afc06cea1b572cb7261f706365fac65621b5a4907893e7ac0d | — | |
hash6844ce1539014571360495c6fb50965e813c2721663bdd40d577d9e5163773c6 | — | |
hash6ae94ce710016d86ed7457236deef2c4c51478587f3609b6e827a348828b3931 | — | |
hash6bba64fa9e8a7b11cb2476cd071de08986db44b0783eff211c68fa5594ef8143 | — | |
hash6f9832ebb4c3054bee4a6ce5ccb69c00e2020053e1308353343097e6a4041109 | — | |
hash702261ba38b57ecc3a5407fed28b2f0611a74c2ec0c116aea4f9e6def0899aed | — | |
hash752c1cfe783ed343e470ab95a4843a23872cdc98b7d3ed5633dd6c881c071a14 | — | |
hash75dd4fb011ed598374a46fc0d9c0d1d64a298341c34afc83a56a6983cfd27764 | — | |
hash7ac974899e8e05aaacd417577c97e382d5e8c5f7f4a85632cffb47ec2f6ae4e0 | — | |
hash8f09274e808e0063d51f34cac82a5770b3df30c792e426da2f6a80657f27affc | — | |
hash97a0497de585d3be6ec75064ab3bd0979cd85561193c1f0669ccf4db31330687 | — | |
hash998a7ed1572ad9dc11375bc25294e1954e606b7cff9fabc5c120713e597cd274 | — | |
hasha1e457c52eab430c20d48f2ac476e080386313f16efb135a0471902cf68ce475 | — | |
hasha764d73795abe47ae640ba09999a18c47b5340e5ecc7b897afebf34f3f37638f | — | |
hasha892f1ef2e530d67bf948a48c734da3f27718eb8b883ca0b686ddb0a81071731 | — | |
hashc6199e175fb988cbbeacdf0f5acdf9ed83f5bdaae5c95b7a6c27ee72cd11b0b1 | — | |
hashc99139b0053c4c698ea0246d26d747f2a984c7aba4613da818ecd9f97899ef3a | — | |
hashd55057cd9110d12a192281356f06b94f342b9febb305cf0a5898a7e6af40758f | — | |
hashddce0219923d152b8facd303f058a6286cf1f6924992b9fb9f5bf4d96436cc39 | — | |
hashe5a9fdff900dd502e8f3dce52d2d1b69aa9afafb5094a28f9037e8770db0e63b | — | |
hashf76b13040c634f82a8332ff9443d84c89a5bced51ae9adad7fd15c05fadb4324 | — | |
hash1c085c7663518f499396cbe95b5613ca8e46a011 | — | |
hash434e9e0e6ccbf20172f31aab63586ea7 | — | |
hash589ac68824823649437f4ca3e03e94f0 | — | |
hash6377be88ba0ef67fb6ffab49c32ccfad | — | |
hash94cd8ba7c79fa2962b505fcef5e25601 | — | |
hashc4ed9c1043b924f1739f57a66731336beb8378c4 | — | |
hashe1e5af28ab858893c9baec1e0d7f2f199f97f56b | — | |
hashebfade04b81e5ac679ef7e6beff7b850e3ff6ded | — | |
hashf20ba894c80e68c9324e211565319523 | — | |
hash47ebf1f0ce0f93794b5db80e2a367fcb00fc9bff | — |
Domain
| Value | Description | Copy |
|---|---|---|
domainarbsniper.com | — |
Threat ID: 6a1d4763e29bf47b50c79012
Added to database: 6/1/2026, 8:48:35 AM
Last enriched: 6/1/2026, 9:03:30 AM
Last updated: 6/1/2026, 3:35:59 PM
Views: 21
Community Reviews
0 reviewsCrowdsource mitigation strategies, share intel context, and vote on the most helpful responses. Sign in to add your voice and help keep defenders ahead.
Want to contribute mitigation steps or threat intel context? Sign in or create an account to join the community discussion.
Actions
Updates to AI analysis require Pro Console access. Upgrade inside Console → Billing.
External Links
Need more coverage?
Upgrade to Pro Console for AI refresh and higher limits.
For incident response and remediation, OffSeq services can help resolve threats faster.
Latest Threats
Check if your credentials are on the dark web
Instant breach scanning across billions of leaked records. Free tier available.