BTMOB Android RAT: New Malware Enables Full Device Takeover via MaaS

BTMOB (also tracked as BT_MOB_RAT) is a sophisticated Android RAT (Remote Access Trojan — malware that gives an attacker complete remote control over an infected device, including screen access, file exfiltration, and the ability to interact with apps as if they were sitting in front of the phone) that has been documented attacking banking customers and individuals in Brazil, Argentina, Spain, Portugal, and Mexico in 2025–2026. ESET researchers and Kaspersky's Global Research and Analysis Team (GReAT) have independently analysed the malware, which is sold as a MaaS (Malware-as-a-Service — a subscription model where criminals rent access to a fully built malware kit without needing to write their own code) platform at $700 per month, making it accessible to threat actors without significant technical expertise.

// 01 BTMOB Android Malware: Technical Details

BTMOB is the successor to the CraxsRAT and SpySolr Android malware families, developed and marketed by a threat actor using the handle EVLF (@craxso on social media platforms). The malware has evolved rapidly since its first formal documentation in February 2025, with the current version (4.5.5) featuring enhanced APK obfuscation to complicate signature-based detection.

The central mechanism behind BTMOB's "full device takeover" capability is the abuse of Android's Accessibility Service (a legitimate Android API designed to help users with disabilities interact with their devices — it grants apps the ability to read screen contents, simulate taps and swipes, and approve system dialogs on behalf of the user). BTMOB requests Accessibility Service permission immediately after installation and, once granted, uses it to:

• Automatically approve additional permission requests without user intervention
• Monitor and intercept all on-screen content, including banking app PIN entry screens
• Simulate user interactions — taps, swipes, and text entry — to operate apps silently
• Suppress notification sounds and dismiss security warnings

On Android 13, 14, and 15, BTMOB uses documented Accessibility Service exploitation techniques to acquire certain sensitive permissions automatically after the initial grant, reducing the number of user-visible permission dialogs to a minimum.

Overlay attacks are BTMOB's primary financial theft mechanism. When the victim opens a legitimate banking application, BTMOB places a pixel-perfect HTML phishing layer over it — an exact copy of the bank's login screen rendered within a WebView. Credentials and PIN codes entered by the victim are captured and exfiltrated, while the underlying real banking app may simultaneously receive the legitimate credentials. This technique bypasses most banking app tampering-detection mechanisms because the legitimate app is running normally; only the visual layer presented to the user is fraudulent.

OTP (One-Time Password) interception neutralises SMS-based two-factor authentication. BTMOB uses Accessibility Service access to read incoming SMS messages, extract OTP codes, and relay them to the attacker's C2 (Command and Control — the attacker's server that receives stolen data and sends instructions to infected devices) server before the victim has a chance to use them. This means MFA based on SMS is not a reliable defence against BTMOB infections.

// 02 Exploitation Status and Threat Landscape

BTMOB is operated as a MaaS platform by EVLF, with a documented pricing structure:

• Monthly subscription: $700
• Lifetime licence: $1,200–$5,000 (varying reports)
• Complete server source code for self-hosted C2 infrastructure: $7,000

Critically, the server source code has already been leaked on underground forums and Telegram channels, meaning actors can now operate BTMOB infrastructure at zero cost. This dramatically lowers the barrier to entry and is expected to drive a significant increase in BTMOB-based campaigns from less sophisticated threat actors in the second half of 2026.

Kaspersky's GReAT documented a campaign distributing BTMOB bundled with the BeatBanker Trojan, disguised as a fake Starlink application targeting users in Latin America and Europe. The combination of two malware families in a single APK increases the attacker's return per infected device: BeatBanker focuses on Alipay and Brazilian PIX payment system fraud, while BTMOB provides the remote access and persistence layer.

The MITRE ATT&CK Mobile technique T1624.001 (Event Triggered Execution: Broadcast Receivers) describes BTMOB's persistence mechanism — it registers Android broadcast receivers that re-launch the malware whenever the device boots, receives an SMS, or detects a network change, making it extremely difficult to remove without a factory reset.

// 03 Who Is Affected

BTMOB targets Android users, with documented campaigns primarily in:

• Brazil — targeting Brazilian banking apps and PIX payment platform users
• Argentina — impersonating AFIP (Argentina's federal tax authority) to lure victims
• Spain, Portugal, Mexico — ESET identified additional campaigns targeting Spanish-language banking customers

Android versions 13, 14, and 15 are explicitly affected, with BTMOB's automatic permission-acquisition capabilities confirmed on these versions. Earlier Android versions may also be affected but are not explicitly named in ESET's analysis.

BTMOB does not exploit any unpatched Android vulnerability — it relies entirely on social engineering to get users to install it from outside the Google Play Store. Devices that allow only Play Store installations and have Google Play Protect enabled are partially protected, though Play Protect has historically had mixed detection rates against novel BTMOB variants due to the no-code builder's rapid mutation capability.

// 04 What You Should Do Right Now

• Never install APK files from outside the Google Play Store. BTMOB cannot infect a device without the user manually enabling "Unknown Sources" (or "Install from this source") and approving the installation. Delete any APK received via link, messaging app, or unofficial website without installing it.

• Do not grant Accessibility Service permission to apps that don't clearly need it. Legitimate apps that require Accessibility Service include screen readers and switch-access tools for users with disabilities. Banking apps, streaming services, and government apps do not require Accessibility Service. If an app requests it during installation, deny the permission and uninstall the app.

• Enable Google Play Protect and keep it updated. Go to Google Play Store → Menu → Play Protect → ensure scanning is enabled. BTMOB is detected by multiple vendors including ESET (MSIL/BtmobRat), Kaspersky (HEUR:Trojan-Spy.AndroidOS.SpyNote.dn), and Avast Mobile (Android:Evo-gen [Trj]).

• If you suspect infection, boot into Safe Mode immediately. Safe Mode disables all third-party apps. Go to Settings → Apps → locate the suspicious application → Uninstall. If the uninstall is blocked (a sign BTMOB has acquired device administrator privileges), go to Settings → Security → Device Admin Apps and revoke the permission before uninstalling.

• Use hardware security keys or authenticator app-based MFA instead of SMS. BTMOB intercepts SMS-delivered OTPs in real time. Hardware keys (FIDO2/YubiKey) and app-based TOTP (Time-based One-Time Password) authenticators are not accessible to BTMOB via the Accessibility Service.

• Monitor bank accounts daily for suspicious transactions. Overlay attacks can capture banking credentials before you notice any device anomaly. Set up real-time transaction alerts for all financial accounts and report suspicious activity to your bank immediately.

// 05 Background: Understanding the Risk

The MaaS model has fundamentally changed the mobile threat landscape. Historically, banking trojans required significant technical expertise to develop and operate — a barrier that limited the number of active campaigns. BTMOB's no-code APK builder allows a subscriber to generate a customised, obfuscated malware sample targeting a specific bank in a specific country within minutes, with no reverse-engineering knowledge required. The result is a long-tail distribution of campaigns operated by hundreds of individual actors, making it impossible for any single takedown to stop BTMOB infections globally.

Android's Accessibility Service has been a persistent attack vector since at least 2017 (when the first Accessibility Service-abusing banking trojans appeared). Google has repeatedly attempted to restrict Accessibility Service access for apps not published through Google Play, but the restrictions can be bypassed by APKs installed via the sideloading path that BTMOB exploits. A lasting fix likely requires either mandatory attestation for all Accessibility Service grants (including sideloaded apps) or a more granular permission model that separates legitimate accessibility use cases from the broad device control BTMOB abuses.

The leaked BTMOB server source code is an important escalation factor. When functional RAT infrastructure source code circulates on underground forums, the operational knowledge becomes permanent: even if EVLF is arrested or stops development, dozens of independent actors will continue operating forks and derivatives. The BeatBanker + BTMOB bundle documented by Kaspersky is an early example of this derivative landscape beginning to emerge.

// 06 Conclusion

BTMOB is a full-device takeover Android RAT available as a $700/month subscription service, with leaked source code now circulating freely. It combines overlay banking attacks, OTP interception, and complete remote control via Accessibility Service abuse, targeting Android 13–15 users across Latin America and Europe. Users should never install apps from outside the Play Store, never grant Accessibility Service to apps that don't clearly need it, and replace SMS-based MFA with hardware keys or authenticator apps.