BTMOB RAT Gives Criminals a Point-and-Click Kit to Take Over Your Android Phone
May 29, 2026 
BTMOB sells Android full-device takeover as a kit, no coding needed. It steals data, records screens, and hands attackers remote control for $5,000 lifetime.
Most Android malware requires at least some technical competence to deploy, but the BTMOB doesn’t. The developers sell it with a built-in APK builder that lets buyers generate new malicious apps, swap phishing lures, and target different countries without writing a single line of code. That’s the part worth paying attention to.
ESET researcher Daniel Cunha Barbosa flagged BTMOB while reviewing threat detections in Brazil. It’s been around since at least early 2025, evolving from an older piece of malware called SpySolr, and it’s been picked up fast. The Android malware BTMOB is a full takeover.
“Unlike banking trojans, which “only” aim to steal people’s financial credentials or intercept their financial transactions, BTMOB gives adversaries broader options: exfiltrate a range of sensitive data, capture screenshots and record activity on the device, and ultimately take remote control of it.” reads the report published by ESET. “The RAT is also sold with an APK builder interface, allowing anyone to generate new payloads and adapt phishing lures for specific regions at a rapid clip – and without writing any code.”
The infection starts with a phishing message pointing victims to a fake website impersonating a streaming service, a crypto mining platform, or something similarly familiar. That site redirects victims to a fake app store that looks like Google Play and prompts them to install an APK. Once the APK is installed on the device, BTMOB abuses Android Accessibility Services to grant itself elevated permissions without any further user input. No second tap required.
The business model is worth examining. A lifetime license costs $5,000 plus a monthly support fee, low compared to what a successful fraud operation returns.
“Since it’s built for the malware-as-a-service (MaaS) economy, BTMOB is marketed as a software product, including through a promotional page on the open web that funnels prospective buyers to a Telegram operator. The sales pipeline extends across social media platforms, with a number of accounts on X and Instagram actively peddling the tool.” continues the report. “Once someone purchases the malicious kit, they can adapt its features, including the phishing lures so they impersonate the brand or agency most likely to lure victims in any given country.“
Researchers have already observed campaigns in Argentina impersonating the country’s tax and customs authority, AFIP. The kit makes that kind of localization trivial.
Distribution runs through an open web page linking to a Telegram channel, with active promotional accounts on X and Instagram. The researchers pointed out that there isn’t a dark web operation; it’s more like a SaaS vendor with a slightly unusual product category.
In January 2026, files related to BTMOB briefly appeared for free on a dark web forum before it went offline. ESET couldn’t recover the payloads, but the episode illustrates a pattern familiar with commercial malware: ‘access rarely stays contained forever and the tool can move into secondary markets through resale, barter or sharing inside closed groups.’
Once a toolkit like this leaks, the pool of people who can cause damage with it expands fast. Researchers warn that leaked or resold versions could spread quickly across underground markets. Because criminals can rapidly generate new variants, defenders face constant payload changes instead of a stable threat. Security firms have already identified multiple new BTMOB samples and related Android spyware variants appearing within short periods of time.
Detection names include Android/Spy.Agent.EIJ, Android/Spy.Agent.EIK, and MSIL/BtmobRat for the primary tool. A full list of indicators including IP addresses and SHA256 hashes is published in ESET’s report.
Most of the confirmed activity so far has been in Latin America, but the kit’s customization features make regional containment a poor assumption. Any Android user who installs apps from outside official stores, clicks unsolicited links in messaging apps, or ignores security software on their phone is a viable target. The practical defense is unglamorous but solid: only install apps from Google Play, treat every unsolicited link as hostile, and run a mobile security solution. The people selling BTMOB are counting on you not to bother.
The report includes Indicators of compromise (IoCs).
Follow me on Twitter: @securityaffairs and Facebook and Mastodon
(SecurityAffairs – hacking, Android Malware)
Stephan is the sports journalist for the Maple Grove Report.
