A stealthy RAT burrowing deep into Android devices
Essential information
- Published
- 01/06/2026 01:32
- Modified
- 01/06/2026 08:50
- Source / Author
- AlienVault
- Confidence
- 100/100
- Report type(s)
- threat-report
- Labels / Tags
- accessibility abuse android rat apk builder brazil btmob latin america malware-as-a-service phishing campaigns remote access spysolr spysolr evolution
- Tags
- 2026-05-31 accessibility abuse android rat apk-builder brazil btmob latin america malware-as-a-service phishing campaigns remote access spysolr spysolr evolution
- Related entities
- 47 indicators, 47 observables, 2 malware, 3 others
Description
BTMOB is an Android remote access trojan that evolved from SpySolr malware and poses significant threats beyond traditional banking trojans. The malware combines phishing-led delivery with an APK builder interface that enables rapid payload generation without coding skills. Distributed through fake app stores impersonating streaming services, cryptocurrency platforms, and government agencies, BTMOB abuses Android Accessibility Services to gain elevated permissions. Marketed as malware-as-a-service with a reported $5,000 lifetime license, it provides adversaries with capabilities to exfiltrate sensitive data, capture screenshots, record device activity, and establish remote control. The tool's customizable phishing lures have been adapted for specific regions, including campaigns impersonating Argentine tax authorities, making it a rapidly evolving threat with global reach.