GPT Trade: Fake Google Play Store drops BTMob Spyware and UASecurity Miner on Android Devices

Nov. 19, 2025, 9:35 a.m.

Description

A sophisticated Android dropper impersonating the Google Play Store was discovered, distributing an app called 'GPT Trade'. This malicious application, disguised as an AI trading assistant, actually deploys two dangerous payloads: BTMob spyware and UASecurity Miner. The dropper creates directories, unpacks components, and generates new APK files before silently installing the malware. BTMob grants extensive device access, enabling credential theft and surveillance. UASecurity Miner focuses on persistence and remote control. The attack chain involves social engineering, APK generation, third-party packer services, and multiple command and control endpoints, reflecting a growing trend in modular Android threats.

External References

https://www.d3lab.net/gpt-trade-fake-google-play-store-drops-btmob-spyware-and-uasecurity-miner-on-android-devices/
https://otx.alienvault.com/pulse/691d86562d76790b15750aa0
Tags
social engineering
android
dropper
spyware
modular malware
btmob
2025-11-19
apk packer
uasecurity miner
fake app store
cryptocurrency miner
gpt trade

Date

  • Created: Nov. 19, 2025, 8:56 a.m.
  • Published: Nov. 19, 2025, 8:56 a.m.
  • Modified: Nov. 19, 2025, 9:35 a.m.

Indicators

  • 918f002a41f9551d48ece999ccba504fcf7596017d9566c07c5335fe0081effe
  • 7f005c10f80372311e9c038526d81d931672d15c644fef2a77eefd67c6235917
  • 0a542751724a432a8448324613e0ce10393e41739a1800cbb7d5a2c648fcdc35
  • 207.90.195.25
  • 95.164.53.100
  • https://playgoogle-gpttrade.com/GPT%20Trade.apk
  • https://aptabase.fud2026.xyz:8443/api/v0/event
  • http://95.164.53.100/private/yarsap_80541.php
  • aptabase.fud2026.xyz
  • playgoogle-gpttrade.com
Download all indicators here!

Attack Patterns

  • UASecurity Miner
  • GPT Trade
  • BTMob