A newly discovered Android malware, Btmob RAT, has emerged as a significant threat to mobile users. This malware, which has evolved from the earlier SpySolr strain, possesses advanced capabilities that allow it to target victims effectively. By utilizing phishing sites as its primary distribution method, Btmob RAT exploits Android’s Accessibility Service to steal credentials, take remote control of devices, and perform various malicious activities. Its resemblance to other Android threats like Crax RAT has raised concerns among security researchers.
Discovered by Cyble Research and Intelligence Labs (CRIL) on January 31, 2025, Btmob RAT represents a growing trend in sophisticated Android malware targeting mobile users. It is actively spreading through phishing sites that impersonate popular streaming platforms and fake cryptocurrency mining websites. The malware’s ability to exploit Android’s Accessibility Services enables it to conduct malicious activities such as remote control, credential theft, data exfiltration, and device unlocking. Notably, Btmob RAT seamlessly integrates with WebSocket-based command and control (C&C) communication, allowing real-time execution of commands for data theft and device control.
Phishing sites have been identified as the primary distribution method for Btmob RAT, as observed from an infected APK file discovered on a phishing site posing as iNat TV. The malware, flagged by SpySolr malware detection, connects to a WebSocket server that enables real-time control by the attacker, including screen sharing, keylogging, and data injection. The threat actor behind Btmob RAT actively promotes the malware on Telegram, offering paid licenses and continuous updates for a price.
Once installed on a device, Btmob RAT exploits Accessibility Services to automate harmful actions, establish bidirectional communication with the C&C server, and execute various commands for data exfiltration. The malware is capable of keylogging, credential theft, live screen sharing, file management, and audio recording. Additionally, it can bypass security features like device locks and remotely unlock devices using Accessibility Services.
The cybercriminal known as EVLF is associated with the distribution of Btmob RAT and continuously updates the malware to enhance its functionality and avoid detection. The persistent focus on improving Btmob RAT’s capabilities and adding new features indicates that it is a sophisticated and ongoing threat to mobile device security.
In conclusion, Btmob RAT poses a serious and evolving threat to Android users, leveraging advanced techniques to exploit Accessibility Services, steal sensitive data, and control devices remotely. As the threat actor behind the malware continues to update and promote it, users must take proactive measures to safeguard their devices and personal information. By adopting cybersecurity best practices, such as avoiding phishing sites, enabling Google Play Protect, using antivirus software, updating devices regularly, and enabling multi-factor authentication, users can mitigate the risk of infection and protect themselves against Btmob RAT and similar malicious threats.