BTMOB RAT¶
BTMOB RAT is an Android remote access trojan sold as Malware-as-a-Service, evolved from the SpySolr malware (itself based on CraxRAT). Cyble Research and Intelligence Labs (CRIL) published the initial analysis on January 31, 2025, after identifying approximately 15 samples of version 2.5 spreading through phishing sites mimicking the Turkish streaming platform iNat TV and fake cryptocurrency mining services. BTMOB abuses Android's Accessibility Services for credential harvesting, uses WebView-based phishing overlays for login capture, monitors the clipboard for cryptocurrency addresses and passwords, and leverages the Media Projection API for live screen streaming. The threat actor behind BTMOB, tracked as "evlf_dev," actively markets the RAT through Telegram with a tiered licensing model and continuous version updates, with rapid iteration from v2.5 to v4 within a single year.
Overview¶
| Attribute | Details |
|---|---|
| First Seen | January 2025 (CRIL identification) |
| Status | Active, rapid version iteration (v2.5 through v4 in 2025) |
| Type | RAT (MaaS) |
| Attribution | "evlf_dev" (Telegram-based threat actor) |
| Aliases | BT-MOB, BTMob |
| Lineage | Evolved from SpySolr, which derives from CraxRAT |
| Pricing | $5,000 lifetime license + $300/month updates; $7,000 custom build with private server; $10,000 full source code |
Origin and Lineage¶
BTMOB descends from SpySolr, an Android RAT that itself derived from CraxRAT, developed by the threat actor EVLF. Cyble's analysis confirmed the lineage through shared C2 structures and codebase patterns, with VirusTotal detections flagging early BTMOB samples under SpySolr signatures. The progression from CraxRAT to SpySolr to BTMOB represents incremental refinement of the same core architecture rather than a ground-up rewrite.
The threat actor markets BTMOB through a dedicated Telegram channel, offering tiered licensing: a $5,000 one-time payment for a lifetime license with $300 monthly update fees, $7,000 for a custom version with a private server and admin panel, and $10,000 for the complete source code. This pricing positions BTMOB in the mid-range of the Android MaaS market, below premium offerings like Hook (pre-leak: $7,000/month) but above budget RATs.
D3Lab obtained a leaked archive containing the complete BTMOB development toolkit: Android payload source code, dropper, builder environment, Windows operator panel (BTMob.exe), C2 backend, and all dependencies required for full platform deployment. This leak enabled deep analysis of the operator-side infrastructure.
Distribution¶
| Vector | Details |
|---|---|
| Phishing sites (streaming) | Fake iNat TV pages (Turkish streaming platform) serving trojanized APKs |
| Phishing sites (crypto) | Fake cryptocurrency mining platforms distributing BTMOB as mining apps |
| Telegram channels | Direct distribution through the threat actor's Telegram presence |
| Third-party APK sites | Hosted on unofficial Android app repositories |
The phishing sites are crafted to appear as legitimate download pages. Cyble documented a sample distributed through a site impersonating iNat TV, where the victim downloads what appears to be a streaming application. On installation, the app requests Accessibility Service permissions through a persistent prompt that loops until the user complies.
Capabilities¶
Credential Harvesting¶
| Technique | Implementation |
|---|---|
| WebView injection | The brows command loads arbitrary URLs or dynamically injected HTML into an invisible WebView, driving JavaScript-based harvesting of form inputs |
| Transparent overlays | Draws transparent or semi-transparent overlays on banking and payment apps to capture credentials without the victim's awareness |
| Accessibility keylogging | Captures keystrokes across all applications via Accessibility Service event monitoring |
| Lock screen capture | Intercepts lock screen PIN/pattern input through overlay interception |
The brows command is the primary credential theft mechanism. The C2 server can instruct BTMOB to load any URL or inject custom HTML into a hidden WebView, then use JavaScript to extract form field contents as the victim types. This allows operators to target any login page dynamically without pre-built overlay kits.
Device Control¶
| Capability | Implementation |
|---|---|
| Live screen streaming | Media Projection API captures real-time screen content and streams to C2 |
| Remote interaction | Accessibility Service translates operator commands into taps, swipes, and text input |
| File management | Browse, download, and upload files on the device |
| Audio recording | Ambient audio capture via device microphone |
| Device unlock | Remote unlock through Accessibility-based gesture replay |
| App management | Install, uninstall, and launch applications remotely |
Data Collection¶
| Category | Details |
|---|---|
| Clipboard monitoring | Continuously monitors clipboard for cryptocurrency wallet addresses, passwords, and OTPs |
| Device fingerprint | IMEI, model, OS version, carrier info, battery status |
| Installed applications | Enumerates all packages on the device |
| Contacts | Full address book exfiltration |
| SMS | Read and intercept SMS messages for OTP theft |
| Call logs | Call history extraction |
| Location | GPS coordinates and network-based positioning |
Notification and Persistence¶
| Technique | Details |
|---|---|
| Notification suppression | Auto-hides notifications to conceal malicious activity from the user |
| Accessibility persistence | Monitors for attempts to disable Accessibility Service and re-enables it |
| Permission auto-grant | Uses Accessibility to silently grant runtime permissions without user interaction |
| Auto-update | RAT can update itself from C2 without user intervention |
Technical Details¶
C2 Communication¶
BTMOB uses WebSocket for real-time bidirectional communication with the C2 server, enabling persistent command-and-control without polling delays.
| Aspect | Details |
|---|---|
| Protocol | WebSocket for command/control, HTTP for bulk data exfiltration |
| Authentication | Bot identifies via device ID and bot ID on WebSocket connection |
| C2 path structure | Backend hosted under /yaarsa/ directory with user/, private/, and private/updates/ paths |
| Operator panel | BTMob.exe (Windows), authenticates via email, password, and token from the C2 web interface at /yaarsa/user/ |
| Endpoint signatures | yarsap_*.php endpoints under /yaarsa/private/ for plugin and update delivery |
Operator Panel¶
D3Lab's analysis of the leaked toolkit revealed that BTMob.exe is a graphical shell around the C2 APIs and WebSocket channels. It displays infected devices, provides real-time screen viewing, allows remote interaction, and manages command execution. The operator authenticates against the C2 web interface and receives a session token for API access.
Version Evolution¶
| Version | Key Changes |
|---|---|
| v2.5 | Updated APK SDK to Android 14, removed sticky notifications, fixed lock screen capture, auto-grants full file access, HTML APK injection |
| v3.0 | Auto RAT updates, full permission support for Android 14/15, improved encryption, live location tracking |
| v3.2 | Improved accessibility installation method, auto-hide notifications |
| v3.6 | Monthly subscription model introduced |
| v4.0 | Latest version with expanded feature set |
The rapid iteration cycle from v2.5 (January 2025) through v4.0 (late 2025) demonstrates active development. Each version addresses Android OS updates (particularly permission model changes in Android 14 and 15) and adds operator-requested features.
Accessibility Service Abuse¶
BTMOB's Accessibility Service performs multiple functions simultaneously:
- Monitors foreground application changes to trigger overlay attacks
- Auto-grants runtime permissions during installation without user interaction
- Captures keystrokes across all applications
- Translates remote operator commands into on-device gestures for Device Take Over
- Prevents the user from navigating to settings to disable the service
- Reads screen content for data harvesting when overlays are not deployed
Target Regions¶
| Region | Distribution Method |
|---|---|
| Turkey | Primary target via iNat TV phishing sites |
| Global (crypto users) | Fake mining platform phishing sites |
| Global (MaaS customers) | Operators deploy against their own target regions |
As a MaaS product, BTMOB's ultimate target set depends on the individual operator purchasing the license. The developer's own campaigns focus on Turkish users through the iNat TV lure, but purchased instances target whatever region and user base the operator chooses.
Notable Campaigns and Discoveries¶
January 31, 2025: Cyble Research and Intelligence Labs publishes the first public analysis of BTMOB RAT v2.5, identifying approximately 15 samples and documenting distribution through phishing sites impersonating iNat TV and cryptocurrency mining platforms. CRIL establishes the SpySolr/CraxRAT lineage.
February 2025: The Cyber Express, Security Online, and Broadcom publish follow-up coverage and detection advisories.
2025: D3Lab publishes "Inside BTMOB", a deep analysis of a leaked archive containing the complete BTMOB development toolkit. The analysis documents the C2 backend structure, operator panel authentication flow, WebSocket communication patterns, and the /yaarsa/ infrastructure signatures that enable defensive detection.
Late 2025: BTMOB reaches v4.0 with expanded capabilities and a growing operator base. ANY.RUN tracks increasing sample submissions as the MaaS ecosystem grows.
Related Families¶
| Family | Relationship |
|---|---|
| Hook | Both are Android MaaS RATs with screen streaming, remote device interaction, and WebSocket C2 communication. Hook is more mature with a larger operator base following its source code leak. BTMOB is newer and still commercially licensed. |
| Ermac | Both occupy the Android MaaS market with overlay-based credential theft and Accessibility Service abuse. Ermac focuses on banking overlays while BTMOB emphasizes WebView injection and general-purpose RAT functionality. |
| Octo | Both provide live screen streaming and remote device control for on-device fraud. Octo uses VNC-like accessibility streaming while BTMOB leverages Media Projection API. |
| SpySolr | Direct predecessor to BTMOB, sharing C2 structure and core codebase. SpySolr itself derives from CraxRAT (by threat actor EVLF). |