BTMOB RAT: Newly Discovered Android Malware Spreading via Phishing Sites
PT FPT Metrodata Indonesia (FMI) is a joint venture between FPT IS and Metrodata Electronics, focusing on providing Cybersecurity-as-a-Service—including SOC, managed security, professional services, consulting, and threat intelligence—to support Indonesia’s rapidly growing digital economy. FMI is expanding into AI and cloud GPU services to deliver innovative protection and solutions for enterprises. Learn more at https://fmisec.com.
Summary
On January 31, 2025, Cyble Research and Intelligence Labs (CRIL) identified a sample lnat-tvpro.apk (13341c5171c34d846f6d0859e8c45d8a898eb332da41ab62bcae7519368d2248) being distributed via a phishing site “hxxps://tvipguncelpro[.]com/” impersonating iNat TV - online streaming platform from Turkey posing a serious threat to unsuspecting users.
On VirusTotal, the sample was flagged by Spysolr malware detection, which is based on Crax RAT, developed by the Threat Actor EVLF. During our analysis, we also checked the official Spysolr Telegram channel, where the TA announced a new project called “BTMOB RAT.”
The malware sample downloaded from the phishing site demonstrated typical RAT behavior, establishing a WebSocket connection with a Command and Control (C&C) server at hxxp://server[.]yaarsa.com/con. The request body revealed the “BTMOB” string along with version number “BT-v2.5”, confirming that the sample is indeed the latest version of BTMOB RAT.
Through their Telegram channel, the TA has been advertising BTMOB RAT, highlighting its capabilities, including live screen control, keylogging, injections, lock feature, and collecting various data from infected devices. The actor is offering a lifetime license for $5,000 (in a one-time payment) with an additional $300 per month for updates and support for the latest version of this malware.
Since late January 2025, we have identified approximately 15 samples of BTMOB RAT (v2.5) in circulation. Earlier variants, active since December 2024, were associated with SpySolr malware, which communicated with hxxps://spysolr[.]com/private/SpySolr_80541.php. The latest BTMOB RAT version exhibits a similar C&C structure and codebase, indicating that it is an upgraded version of SpySolr malware.
An additional BTMOB RAT sample was shared by MalwareHunterTeam and identified by 0x6rss. Like many other Android malware variants, the BTMOB RAT leverages the Accessibility service to carry out its malicious actions. The following section provides a detailed overview of these activities.
Campaign Details
Upon installation, the malware displays a screen urging the user to enable the Accessibility Service. Once the user turns on the Accessibility Service, the malware proceeds to grant the requested permissions automatically.
Meanwhile, the malware connects to the C&C server at “hxxp://78[.]135.93.123/yaarsa/private/yarsap_80541.php,” which follows a structure similar to the Spysolr malware. Once connected, it initiates a WebSocket connection for server-client communication and transmits JSON data containing the device ID (pid), BotID (idf), connection type (subc), and a message (msg).
The image below illustrates the “join” connection type request sent to the server, after which the client receives a “Connected” response with the “type” value in JSON.
Over the course of our analysis, we observed that the malware receives 5 different responses for value “type” as listed below:
| Type | Description |
| proxy | Establish other WebSocket connection |
| stop | Stops activity based on server response |
| join | Sends a join message along with device ID and bot ID |
| com | The malware receives various commands through this response type |
| connected | The server sends this response upon successful connection establishment |
| Unauthorized access | The server sends this response when the client fails to register the device |
After successfully establishing a WebSocket connection, the malware transmits device-related information, including the device name, OS version, model, battery status, wallpaper, malicious app version number, and the status of malicious activities such as key logs, visited apps, visited links, notifications, and other activities.
The malware receives commands from the server using the “com” response type. The first command it received was “optns.” Along with this command, the server transmits the activity status to be initiated, which the malware then stores in a shared preference file.
Our analysis revealed that the malware receives a total of 16 commands from the server, each of which is listed below, along with its description.
| Command | Description |
| optns | Get action status to enable malicious activities |
| fetch | Collects the mentioned file in the response or device phone number based on the subcommand |
| brows | Loads URL into WebView, and perform actions based on JavaScript |
| lock | Receives lock pin and other details related to lock, and saves them to the Shared Preference variable |
| ject | Manages injection |
| file | Manages file operations |
| clip | Collects clipboard content |
| chat | Displays a window with the message received from the server, gets the reply entered in the edit field, and sends to the server |
| wrk | Receives additional commands to perform other activities such as collecting SMS, contacts, location, files, managing audio settings, launching activity, and many other |
| srh | Search file |
| mic | Records audio |
| add | Get all collected data, including keylogs, active injections, links, device information, wallpaper, and SIM information |
| bc | Opens alert Window or displays notification with the message received from the server |
| upload | Downloads injection files |
| screen | Handles live screen activity |
| scread | Collects content from the screen |
brows Command
The primary function of this command is to load a URL or HTML content into the WebView and execute actions like collecting input, clicking, and scrolling using JavaScript.
When the malware receives a "brows" command, the server sends additional parameters within a JSON object, including "ltype" and "extdata". The "ltype" parameter dictates specific actions for the malware, such as loading a URL or HTML code into the WebView, keeping a record of visited websites, along with timestamps and input data, and transmitting the collected data, as illustrated in Figures 9 and 10.
Once the malware loads a URL or HTML code into the WebView, it runs JavaScript to collect userentered data from the webpage. The extracted information, which may include sensitive details like login credentials, along with the date and website link, is then stored in a JSON object.
Once the data is collected, it is saved in a map variable and later transmitted to the C&C server when the malware receives the "lp" value through the "ltype" parameter.
The malware can receive additional commands through the "extdata" parameter, which includes actions such as scrolling, clicking, entering text, navigating, and loading another URL.
The "text" and "enter" actions are executed using JavaScript, while navigation, scroll, and other movement-based actions are carried out using Motion events.
This feature enables the malware to steal login credentials while also providing various options to automate the credential theft process.
screen Command
When the malware initially receives the "optns" command, it checks the live screen activity status to determine whether to proceed. Based on this status, the malware then initiates screen capture using Media Projection.
To perform live actions, the malware receives the command “screen” along with different actions as listed below:
- L: With this action, the malware receives a "lock" value, determining whether to lock or unlock the device. It checks the lock type (PIN, password, or pattern) and unlocks the device accordingly.
If the device is locked with a password, the malware retrieves the saved password from the "mob_lck" shared preference variable, which was previously extracted during "LockActivity". It then enters the password using "ACTION_ARGUMENT_SET_TEXT_CHARSEQUENCE", as shown in the figure below.
If the device is locked with a pattern or PIN, the malware retrieves the pattern coordinates or PIN digits and uses the dispatchGesture API to either draw the pattern or simulate taps on the PIN keypad to unlock the device.
nav: Executes navigation actions such as returning to the home screen, switching to recent apps, or going back.vol: Adjusts the device’s audio volume.
snap: Captures a screenshot.
block: Displays a black screen to conceal live screen activity from the victim.
paste: Gets the text from the server and enters it using “ACTION_ARGUMENT_SET_TEXT_CHARSEQUENCE”
sklecolor: Receives a color code to change the color of rectangular boundaries using Accessibility Service API
skilton: Turns on the service responsible for capturing screen content
ject Command
The malware utilizes the "ject" command to manage injection activities, including removing the injection list, collecting extracted data during injection, and deleting the extracted injection data from the device.
The malware maintains an ArrayList "d" to store target application package names, injection paths, and data collected from injection activities. It uses the "upload" command to download an injection ZIP file into the "/protected" directory. The ZIP file is then extracted, and its contents are saved using the "jctid" filename received from the server.
The malware retrieves the package name of the currently running application and checks if it exists in its list. If a match is found, it loads the corresponding injection HTML file from the "/protected" directory and launches "WebInjector.class" to execute the injection.
The WebInjector class loads the injected HTML phishing page into a WebView. When the user enters their credentials on this fake page, the malware captures the input and sends it to the C&C server.
wrk Command
When the malware receives a "wrk" command, it also gets a parameter called "cmnd", which
includes additional instructions for executing various malicious activities.
This command enables the malware to perform various malicious activities, including:
Collecting contacts, SMS, location data, installed apps, thumbnails, and device information.
Controlling audio settings.
Requesting permissions.
Executing shell commands.
Managing files (deleting, renaming, creating, encrypting, or decrypting).
Terminating services.
Taking screenshots.
Stealing images.
Recommendations
We have listed some essential cybersecurity best practices that create the first line of control against attackers. We recommend that our readers follow the best practices given below:
• Download and install software only from official app stores like Google Play Store or the iOS App Store.
• Use a reputed anti-virus and internet security software package on your connected devices, such as PCs, laptops, and mobile devices.
• Use strong passwords and enforce multi-factor authentication wherever possible.
• Enable biometric security features such as fingerprint or facial recognition for unlocking the mobile device where possible.
• Be wary of opening any links received via SMS or emails delivered to your phone.
• Ensure that Google Play Protect is enabled on Android devices.
• Be careful while enabling any permissions.
• Keep your devices, operating systems, and applications updated.
Conclusion
BTMOB RAT, an evolution of the SpySolr malware, poses a significant threat to Android users by leveraging Accessibility Services to perform a wide range of malicious activities. From stealing login credentials through WebView injections to manipulating screen content, collecting sensitive data, and even unlocking devices remotely, this malware demonstrates a high level of sophistication.
This potent malware uses WebSocket communication with a C&C server to allow real-time command execution, making it a powerful tool for cybercriminals. The malware’s distribution through phishing websites and continuous updates by the threat actor indicate an ongoing effort to enhance its capabilities and evade detection.
