VYPR
researchPublished May 26, 2026· Updated May 28, 2026· 7 sources

BTMOB Android RAT Sold With No-Code Builder Lowers Entry Bar for Mobile Malware

Researchers at ESET have identified BTMOB, a new Android RAT sold as a malware-as-a-service platform that includes a no-code APK builder, enabling attackers to rapidly generate targeted phishing lures with minimal technical skill.

ESET researchers have documented a new Android remote access trojan (RAT) called BTMOB that is being sold as a malware-as-a-service (MaaS) platform with a built-in, no-code APK builder. The tool allows buyers to quickly generate customized malicious apps tailored for specific regions, dramatically lowering the technical barrier to deploying mobile malware. First documented in February 2025, BTMOB evolved from the earlier SpySolr family and represents a shift from traditional banking trojans toward more versatile device-takeover capabilities.

BTMOB's most distinctive feature is its commercial packaging — the RAT ships with an APK builder interface that lets buyers generate new payloads and retool phishing lures for specific countries without writing any code. This no-code builder is marketed alongside the malware itself, which is sold through a MaaS model promoted on a surface-web page that channels buyers to a Telegram operator, with additional seller accounts on X and Instagram. ESET reported a $5,000 lifetime license plus a monthly support fee — a modest investment relative to the potential proceeds of a successful fraud operation.

Distribution follows a familiar social-engineering pattern. Operators steer victims to phishing sites posing as streaming services, crypto-mining platforms or other recognizable brands, then funnel them toward fake app stores that prompt installation of a malicious APK. Once on the device, BTMOB abuses Android's Accessibility Services to escalate its own permissions and grant itself deeper system access without further user interaction. Researchers have already seen the kit adapted to impersonate local institutions, including campaigns spoofing Argentina's tax and customs authorities.

Beyond credential theft, BTMOB provides a full suite of device-takeover capabilities. It can exfiltrate SMS messages, call logs, and device data; capture screenshots; record on-device activity; and hand operators remote control of the phone. This extends well beyond the scope of a typical banking trojan, positioning BTMOB as a multi-purpose espionage and fraud tool.

The economic model behind BTMOB makes containment particularly challenging. Because new variants can be spun up so quickly using the no-code builder, ESET warned defenders to expect rapid payload turnover rather than a fixed set of samples. In January 2026, a dark web forum briefly advertised BTMOB files for free before going offline — a reminder that commercial malware rarely stays locked to paying customers once resale and sharing take hold.

ESET advised users to install apps only from official stores, treat unsolicited links with suspicion, and run mobile security software with the same rigor applied to other devices. "Corporate security teams must make it clear to employees that a single rogue download could expose the company's crown jewels," ESET concluded. The BTMOB campaign highlights the growing commoditization of Android malware through user-friendly tooling, making sophisticated mobile threats accessible to a wider range of criminal actors.

As no-code malware builders become more common, organizations face an expanding threat landscape where even low-skill attackers can deploy advanced RATs. This trend mirrors broader shifts in the cybercriminal ecosystem toward platform-based business models, lowering barriers to entry and increasing the volume and diversity of mobile threats.

ESET's latest report adds new detail on BTMOB's evolution from the SpySolr malware and its marketing as a $5,000 lifetime license with monthly support fees. The researchers document active campaigns impersonating Argentina's tax authority and note that a dark web forum offered BTMOB files for free download in January 2026, indicating the tool is spreading beyond initial paying customers. ESET also provides a fresh set of indicators of compromise, including 20 IP addresses and multiple SHA256 hashes, to aid in detection.

A new report from ESET, shared with Cyber Security News, provides deeper technical analysis of BTMOB, including SHA256 hashes and infrastructure IOCs such as domains like arbsniper[.]com and multiple IP addresses. The article also details specific phishing campaigns impersonating Argentine government agencies and streaming services, and notes that BTMOB v2.5 has already been observed in the wild, with leaked or pirated copies potentially broadening access to the malware.

ESET's latest report, shared by The Hacker News, reveals BTMOB's capabilities have expanded significantly since February 2025: the Android RAT now includes modules to unlock devices, capture screenshots, log keystrokes, and automate credential theft through HTML injections targeting specific apps. The malware also added Alipay PIN harvesting in a subsequent version, and is sold with an APK builder interface that enables no-code payload generation, lowering the barrier for threat actors. Priced at $700 per month or $1,200 for a lifetime license, with the server source code available for $7,000, BTMOB is advertised by a threat actor named EVLF and is believed to be the successor to CraxsRAT, CypherRAT, and SpySolr families.

SecurityWeek's coverage confirms that BTMOB is actively being delivered via phishing lures and enables full device takeover, combining financial theft, data exfiltration, and remote access capabilities. The report underscores that the malware represents a significant threat to Android users, particularly those targeted for financial fraud, and aligns with ESET's earlier findings on the malware's no-code builder lowering the entry barrier for attackers.

The Dark Reading article adds that BTMOB is now being distributed via a Malware-as-a-Service (MaaS) model with a $5,000 lifetime license, lowering the barrier for low-skill attackers. It also highlights a recent campaign in Argentina that impersonated the country's tax and customs authorities, demonstrating the RAT's ability to adapt lures to specific regions. The article further notes that BTMOB files were offered for free download on a Dark Web forum in January, though the forum later went offline, illustrating the risk of commercial malware leaking into secondary markets.

ESET's latest analysis reveals that BTMOB is sold via private Telegram channels for a $700 monthly subscription or a $5,000 lifetime license, and is distributed through phishing sites mimicking streaming services and cryptocurrency platforms. The malware abuses Android Accessibility Services to gain elevated permissions, and researchers have observed campaigns using an Argentinian government agency as a lure. ESET notes that BTMOB is an evolution of the SpySolr family, and its rapid payload generation can undermine single-layered defenses.

Synthesized by Vypr AI