BTMOB RAT¶
BTMOB RAT is an Android remote access trojan sold as Malware-as-a-Service, evolved from the SpySolr malware (itself based on CraxRAT). Cyble Research and Intelligence Labs (CRIL) published the initial analysis on January 31, 2025, after identifying approximately 15 samples of version 2.5 spreading through phishing sites mimicking the Turkish streaming platform iNat TV and fake cryptocurrency mining services. BTMOB abuses Android's Accessibility Services for credential harvesting, uses WebView-based phishing overlays for login capture, monitors the clipboard for cryptocurrency addresses and passwords, and leverages the Media Projection API for live screen streaming. The threat actor behind BTMOB, tracked as "evlf_dev," actively markets the RAT through Telegram with a tiered licensing model and continuous version updates, with rapid iteration from v2.5 to v4 within a single year.
Overview¶
| Attribute | Details |
|---|---|
| First Seen | January 2025 (CRIL identification) |
| Status | Active, rapid version iteration (v2.5 through v4 in 2025) |
| Type | RAT (MaaS) |
| Attribution | "evlf_dev" (Telegram-based threat actor) |
| Aliases | BT-MOB, BTMob |
| Lineage | Evolved from SpySolr, which derives from CraxRAT |
| Pricing | $5,000 lifetime license + $300/month updates; $7,000 custom build with private server; $10,000 full source code |
Origin and Lineage¶
BTMOB descends from the EVLF lineage of leaked Android RAT source code (Syrian threat actor "EVLF"), through the chain CraxsRAT → CypherRAT → SpySolr → BTMOB. Cyble's analysis confirmed the lineage through shared C2 structures and codebase patterns, with multi-engine detections flagging early BTMOB samples under SpySolr signatures. The progression represents incremental refinement of the same core architecture rather than a ground-up rewrite. A leak of BTMOB v4.3 source code has been reported in mid-2025, separate from earlier leaks of CraxsRAT and CypherRAT in the same lineage.
The trojan's internal bot-name plaintext (recovered from a v3.4.1 sample) is the literal string "BTMOB"; the version is held in a sc.a field as a literal "BT-v3.4.1" and reported to C2 as JSON field BTVR.
The threat actor markets BTMOB through a dedicated Telegram channel, offering tiered licensing: a $5,000 one-time payment for a lifetime license with $300 monthly update fees, $7,000 for a custom version with a private server and admin panel, and $10,000 for the complete source code. This pricing positions BTMOB in the mid-range of the Android MaaS market, below premium offerings like Hook (pre-leak: $7,000/month) but above budget RATs.
D3Lab obtained a leaked archive containing the complete BTMOB development toolkit: Android payload source code, dropper, builder environment, Windows operator panel (BTMob.exe), C2 backend, and all dependencies required for full platform deployment. This leak enabled deep analysis of the operator-side infrastructure.
Distribution¶
| Vector | Details |
|---|---|
| Phishing sites (streaming) | Fake iNat TV pages (Turkish streaming platform) serving trojanized APKs |
| Phishing sites (crypto) | Fake cryptocurrency mining platforms distributing BTMOB as mining apps |
| Telegram channels | Direct distribution through the threat actor's Telegram presence |
| Third-party APK sites | Hosted on unofficial Android app repositories |
The phishing sites are crafted to appear as legitimate download pages. Cyble documented a v2.5 sample distributed through a site impersonating iNat TV, where the victim downloads what appears to be a streaming application. On installation, the app requests Accessibility Service permissions through a persistent prompt that loops until the user complies.
Capabilities¶
Credential Harvesting¶
| Technique | Implementation |
|---|---|
| WebView injection | The brows command loads arbitrary URLs or dynamically injected HTML into an invisible WebView, driving JavaScript-based harvesting of form inputs |
| Transparent overlays | Draws transparent or semi-transparent overlays on banking and payment apps to capture credentials without the victim's awareness |
| Accessibility keylogging | Captures keystrokes across all applications via Accessibility Service event monitoring |
| Lock screen capture | Intercepts lock screen PIN/pattern input through overlay interception |
The brows command is the primary credential theft mechanism. The C2 server can instruct BTMOB to load any URL or inject custom HTML into a hidden WebView, then use JavaScript to extract form field contents as the victim types. This allows operators to target any login page dynamically without pre-built overlay kits.
Device Control¶
| Capability | Implementation |
|---|---|
| Live screen streaming | Media Projection API captures real-time screen content and streams to C2 |
| Remote interaction | Accessibility Service translates operator commands into taps, swipes, and text input |
| File management | Browse, download, and upload files on the device |
| Audio recording | Ambient audio capture via device microphone |
| Device unlock | Remote unlock through Accessibility-based gesture replay |
| App management | Install, uninstall, and launch applications remotely |
Data Collection¶
| Category | Details |
|---|---|
| Clipboard monitoring | Continuously monitors clipboard for cryptocurrency wallet addresses, passwords, and OTPs |
| Device fingerprint | IMEI, model, OS version, carrier info, battery status |
| Installed applications | Enumerates all packages on the device |
| Contacts | Full address book exfiltration |
| SMS | Read and intercept SMS messages for OTP theft |
| Call logs | Call history extraction |
| Location | GPS coordinates and network-based positioning |
Notification and Persistence¶
| Technique | Details |
|---|---|
| Notification suppression | Auto-hides notifications to conceal malicious activity from the user |
| Accessibility persistence | Monitors for attempts to disable Accessibility Service and re-enables it |
| Permission auto-grant | Uses Accessibility to silently grant runtime permissions without user interaction |
| Auto-update | RAT can update itself from C2 without user intervention |
Technical Details¶
C2 Communication¶
BTMOB uses WebSocket for real-time bidirectional communication with the C2 server, enabling persistent command-and-control without polling delays.
| Aspect | Details |
|---|---|
| Protocol | WebSocket for command/control, HTTP for bulk data exfiltration |
| Authentication | Bot identifies via device ID and bot ID on WebSocket connection |
| C2 path structure | Backend hosted under /yaarsa/ directory with user/, private/, and private/updates/ paths |
| Operator panel | BTMob.exe (Windows), authenticates via email, password, and token from the C2 web interface at /yaarsa/user/ |
| Endpoint signatures | yarsap_*.php endpoints under /yaarsa/private/ for plugin and update delivery |
Operator Panel¶
D3Lab's analysis of the leaked toolkit revealed that BTMob.exe is a graphical shell around the C2 APIs and WebSocket channels. It displays infected devices, provides real-time screen viewing, allows remote interaction, and manages command execution. The operator authenticates against the C2 web interface and receives a session token for API access.
Version Evolution¶
| Version | Key Changes |
|---|---|
| v2.5 | Updated APK SDK to Android 14, removed sticky notifications, fixed lock screen capture, auto-grants full file access, HTML APK injection |
| v3.0 | Auto RAT updates, full permission support for Android 14/15, improved encryption, live location tracking |
| v3.2 | Improved accessibility installation method, auto-hide notifications |
| v3.4.1 | Confirmed in-the-wild build; internal version literal BT-v3.4.1 in sc.a reported via JSON field BTVR |
| v3.6 | Monthly subscription model introduced |
| v4.0 | Expanded feature set |
| v4.3 | Source code reportedly leaked mid-2025 (separate from earlier CraxsRAT and CypherRAT source leaks in the same lineage) |
The rapid iteration cycle from v2.5 (January 2025) through v4.x (late 2025) demonstrates active development. Each version addresses Android OS updates (particularly permission model changes in Android 14 and 15) and adds operator-requested features. The technical details below are version-tagged where derived from a specific sample, since wire format and crypto schemes have changed across builds.
v3.4.1 Internals (sample-verified)¶
The following details were recovered from a v3.4.1 BTMOB sample. They apply specifically to v3.4.1 builds; other versions may differ.
WebSocket message protocol (handler logger.pipeliner.balancer.w.s(String)):
| Prefix | Meaning | JSON fields |
|---|---|---|
Conf:{json} |
Configuration push from C2 to bot | idf (bot id), cip (checksum/MAC), sk (server URL list, <-separated for fallbacks), ad (admin/IP) |
CO:... (excluding :Sleep) |
Wakeup trigger | None |
String obfuscation: m70.a(data, key) is a repeating-XOR string decoder applied across the codebase. Smali-pass enumeration of a v3.4.1 trojan returned 3,412 call-site pairs yielding 1,352 unique decoded strings.
Trojan-side AES (the jv scheme used for sensitive payloads such as the C2 fallback IP and overlay templates):
- Algorithm: AES-128 / CBC / PKCS5Padding
- Key derivation: PBKDF2-HmacSHA1, 65,536 iterations
- IV: hardcoded ASCII
2230209522049090
Surveilled browser packages (observed list in v3.4.1):
com.android.browser
com.brave.browser
com.coloros.browser
com.meizu.safe
com.opera.browser
com.sec.android.app.sbrowser
The presence of Chinese OEM browser packages (com.coloros.browser, com.meizu.safe) alongside Western and Korean OEM browsers indicates BTMOB is configured for broad regional reach regardless of the operator's targeted user base.
Notable absences: the v3.4.1 sample has no anti-Frida, anti-Xposed, anti-root, anti-debugger, or classic emulator-fingerprint checks; Frida instrumentation attached and ran unimpeded. Stealth in this build is structural (encrypted multi-stage payloads, per-build randomized identifiers in the surrounding dropper) rather than runtime-defensive.
Accessibility Service Abuse¶
BTMOB's Accessibility Service performs multiple functions simultaneously:
- Monitors foreground application changes to trigger overlay attacks
- Auto-grants runtime permissions during installation without user interaction
- Captures keystrokes across all applications
- Translates remote operator commands into on-device gestures for Device Take Over
- Prevents the user from navigating to settings to disable the service
- Reads screen content for data harvesting when overlays are not deployed
Target Regions¶
| Region | Distribution Method |
|---|---|
| Turkey | Primary target via iNat TV phishing sites |
| Global (crypto users) | Fake mining platform phishing sites |
| Global (MaaS customers) | Operators deploy against their own target regions |
As a MaaS product, BTMOB's ultimate target set depends on the individual operator purchasing the license. The developer's own campaigns focus on Turkish users through the iNat TV lure, but purchased instances target whatever region and user base the operator chooses.
Notable Campaigns and Discoveries¶
January 31, 2025: Cyble Research and Intelligence Labs publishes the first public analysis of BTMOB RAT v2.5, identifying approximately 15 samples and documenting distribution through phishing sites impersonating iNat TV and cryptocurrency mining platforms. CRIL establishes the SpySolr/CraxRAT lineage.
February 2025: The Cyber Express, Security Online, and Broadcom publish follow-up coverage and detection advisories.
2025: D3Lab publishes "Inside BTMOB", a deep analysis of a leaked archive containing the complete BTMOB development toolkit. The analysis documents the C2 backend structure, operator panel authentication flow, WebSocket communication patterns, and the /yaarsa/ infrastructure signatures that enable defensive detection.
Late 2025: BTMOB reaches v4.0 with expanded capabilities and a growing operator base. ANY.RUN tracks increasing sample submissions as the MaaS ecosystem grows.
Related Families¶
| Family | Relationship |
|---|---|
| Hook | Both are Android MaaS RATs with screen streaming, remote device interaction, and WebSocket C2 communication. Hook is more mature with a larger operator base following its source code leak. BTMOB is newer and still commercially licensed. |
| Ermac | Both occupy the Android MaaS market with overlay-based credential theft and Accessibility Service abuse. Ermac focuses on banking overlays while BTMOB emphasizes WebView injection and general-purpose RAT functionality. |
| Octo | Both provide live screen streaming and remote device control for on-device fraud. Octo uses VNC-like accessibility streaming while BTMOB leverages Media Projection API. |
| SpySolr | Direct predecessor to BTMOB, sharing C2 structure and core codebase. SpySolr itself derives from CraxRAT (by threat actor EVLF). |