do son 
Prompting the victim to grant Accessibility Service access | Source: CRIL
A newly discovered Android Remote Access Trojan (RAT) called BTMOB RAT has been observed targeting unsuspecting users via phishing sites, according to a report from Cyble Research and Intelligence Labs (CRIL). The malware, an evolution of the SpySolr RAT, is designed for remote control, credential theft, and data exfiltration, making it a significant threat to Android users.
The malware is primarily distributed through phishing sites impersonating popular services, including fake streaming platforms like iNat TV and fraudulent cryptocurrency mining platforms. CRIL identified a malicious APK named lnat-tv-pro.apk hosted on the phishing site “hxxps://tvipguncelpro[.]com/”, which pretends to be a legitimate streaming service.
BTMOB RAT comes with a range of malicious functionalities, including:
- Live screen sharing
- File management
- Audio recording
- Keylogging
- Credential theft via web injections
- Device unlocking using Android’s Accessibility Service
CRIL notes that: “The malware abuses Android’s Accessibility Service to unlock devices, log keystrokes, and automate credential theft through injections.” This means that once installed, BTMOB RAT can take full control of an infected device without the user’s knowledge.
The malware establishes communication with a Command-and-Control (C&C) server via WebSockets, allowing real-time data theft and command execution. During analysis, researchers found the malware connecting to hxxp://server[.]yaarsa.com/con, confirming its active C&C communication.
Investigations revealed that BTMOB RAT is actively marketed on Telegram, where the Threat Actor (TA) is selling licenses for the malware. The TA offers a lifetime license for $5,000, with an additional $300 per month for updates and support.
CRIL highlighted: “Through their Telegram channel, the TA has been advertising BTMOB RAT, highlighting its capabilities, including live screen control, keylogging, injections, lock feature, and collecting various data from infected devices.”
This commercialization of malware makes BTMOB RAT a persistent and evolving cyber threat, as its capabilities are continuously updated.
Related Posts:
- LNK Files and SSH Commands: The New Arsenal of Advanced Cyber Attacks
- New Phishing Scam Targets Android Users in India, Researchers Warn
- Stealthy New Android Trojan Disguised as Popular Apps Steals Your Data
- npm’s Hidden Threat: The Covert Trojan Lurking in Your Windows System
- Turla APT Suspected in “Tiny BackDoor” Campaign Leveraging MSBuild to Evade Detection
