BTMOB Rat virus takes full control of Android cell phones in Brazil, warns ESET

A Trojan for Android, called BTMOB, was detected in active campaigns on Brasil, according to a detailed analysis by security company ESET. The malicious program is capable of taking complete control of the victim’s device, performing remote actions without consent. Sua initial detection occurred in February 2025, and since then, the virus has demonstrated remarkable evolution in terms of scope and complexity of operation.

Classificado as a RAT, acronym for “remote access trojan”, BTMOB allows the attacker to access and operate the infected cell phone remotely, remaining undetectable to the user. Essa functionality represents a significant threat, as it gives the criminal extensive ability to exploit the device’s data and functions. BTMOB’s control flexibility distinguishes it from many specific financial malware, increasing its damage potential.

Como or BTMOB Rat infects devices

The BTMOB infection process begins with the dissemination of links to fake websites, which often simulate well-known streaming platforms or cryptocurrency services. By clicking on these addresses, users are redirected to fake app stores designed to visually resemble Google Play Store. Nessas fraudulent pages, the victim is tricked into installing a malicious application, at which point the virus is introduced onto the Android device.

Após initial installation, BTMOB requests access to Serviços from Acessibilidade from Android. Essa permission, originally developed to assist people with disabilities in using cell phones, is maliciously exploited by the virus. By obtaining this access, BTMOB is able to increase its permissions in the system and install itself more deeply, without requiring any additional intervention from the user to continue its operation.

Remote Controle and data theft after infection

Once installed and granted permissions, BTMOB demonstrates a wide range of malicious capabilities within the infected device. The virus can extract sensitive data, capture screens in real time and record user activity, providing valuable information to criminals. Além also allows the attacker to operate the cell phone remotely, executing commands and controlling functions as if he were the owner himself.

Este level of control means that passwords can be viewed, banking applications can be accessed and messages can be sent in the victim’s name without their knowledge. BTMOB’s breadth of functionality makes it a more versatile and dangerous virus, as it is not limited to a specific type of theft, but rather total control of the device and all the information contained therein.

Modelo “Malware-as-a-Service” makes access easier

BTMOB is sold under the MaaS model, or “malware-as-a-service”, allowing it to be acquired and used by individuals without technical programming knowledge. Esse business model facilitates the proliferation of scams by making the tool accessible to a wider audience of criminals. The platform includes an interface for creating new malicious applications and adapting campaigns for different countries and target audiences.

A lifetime license for BTMOB costs approximately $5,000, with the addition of a monthly fee for technical support. In January 2026, BTMOB files were even offered for free on a dark web forum, before the service was deactivated. The malware is actively promoted on open channels on the internet, including promotional pages and profiles on social networks such as X and Instagram, which direct potential buyers to an operator via Telegram.

Leia Tambem

Slayer announces unique show in São Paulo for December 2026 with a focus on Reign in Blood

Scaloni reveals Argentina’s final list for the 2026 World Cup without promises from Real Madrid and European champion

Motorola Razr Fold debuts in Brazil seeking leadership in foldables with multitasking and 6,000 mAh battery

Campanhas detected on América Latina

Security Pesquisadores has already recorded BTMOB campaigns on América Latina, with notable cases on Argentina. Nesses incidents, the virus was adapted to impersonate Argentine government bodies, such as tax and customs authorities. The imitation of the visual identity of these institutions aims to increase the credibility of the scams, tricking local users into installing the malicious application.

ESET identifies the main version of the virus as MSIL/BtmobRat, while its variants for Android are categorized as Android/Spy.Agent.EED, Android/Spy.Agent.EIJ and Android/Spy.Agent.EIK. In February 2025, the company Cyble reported the discovery of around 15 samples of version 2.5 of the virus in just two weeks, highlighting the activity and rapid spread of the malware.

Medidas virus protection and prevention

The main recommendation to avoid infection by BTMOB is to download applications exclusively through the official Google Play store. Sites that offer APKs outside of this platform are the main entry points for viruses and other digital threats. Caution when installing apps from unknown sources is essential for the device’s security.

It is crucial to be wary of links received via email, messaging apps like WhatsApp, social media or online advertisements, even if they appear to come from legitimate sources. Continuous use of a security app on your phone can help detect and neutralize threats before they cause harm. Empresas and organizations must implement and enforce cybersecurity policies, educating their employees on necessary precautions, as a single malicious download can compromise sensitive corporate data.

• Baixar apps only from the official Google Play.
• Desconfiar of suspicious links and attachments via email, WhatsApp or social media.
• Manter an updated security application on cell phones.
• Verificar the permissions requested by new applications before granting them.
• Orientar employees on best cybersecurity practices to protect corporate data.

Awareness of the risks and the adoption of preventive measures are essential to protect personal and professional information against threats such as BTMOB Rat. Constant vigilance and updating security software are the most effective line of defense against these sophisticated attacks.