MalwareUsed by 1 actor

BTMOB RAT

BTMOB RAT is a full-featured Android remote access trojan and remote administration tool. Reporting cited here states it was first identified in February 2024 as a variant of SpySolr malware, and other reporting describes it as a commodity Android RAT sold in a malware-as-a-service model and as an evolution of the CraxsRAT/CypherRAT/SpySolr ecosystem. It has been delivered in multiple Android malware campaigns, including via the MiningDropper/BeatBanker framework and through fake app download pages, phishing sites, social media links, and fraudulent websites impersonating trusted services or app stores. Observed targeting includes broader regional victims across Europe, Latin America, and Asia, and BeatBanker campaigns targeting Brazilian users; one report also notes financial-fraud-oriented deployment.

Capabilities directly described in the source material include credential harvesting and credential capture, device takeover, real-time remote control, full device control, keylogging, screen recording and screen monitoring, camera access, GPS tracking, WebView-based credential theft, data exfiltration, abuse of Android Accessibility Services, file management/handling, audio recording, command execution, and WebSocket-based remote control. The malware has also been described as facilitating financial fraud operations.

Within the analyzed MiningDropper infection chain, a trojanized Android app decrypts staged payloads, displays a fake Google Play update screen as deception, reconstructs split components, and installs a final payload such as BTMOB RAT through a third-stage installer. Recent BeatBanker iterations were reported to deploy BTMOB RAT instead of a banking module. No standalone BTMOB-specific IOC set is provided here beyond ecosystem references such as btmob[.]xyz and Telegram-based sales mentioned in one report.

For your environment

Hunt this family in your stack

Mallory pivots from this family to the IOCs, detections, and named campaigns that touch your stack, and pages you when something new lands.

Start free trial

THREAT ACTORS

Groups observed using it

1 distinct threat actor attributed by public researchers. Open in Mallory to see the full evidence chain and overlapping campaigns.

View more details

EVLF

"Recent iterations of the campaign have been found to drop BTMOB RAT instead of the banking module."

via the hacker newsthehackernews.com

MITRE ATT&CK

Techniques & procedures

13 distinct techniques documented for this family, organized by ATT&CK tactic.

Initial Access

1 technique

T1566PhishingEvidence1

"It spreads primarily through phishing attacks via a website disguised as the Google Play Store."

Persistence

2 techniques

T1546.008Accessibility FeaturesEvidence1

Cyble said that final payload can steal credentials through WebView injections, log keystrokes, exfiltrate data, abuse Accessibility Services, and support real time remote control, screen monitoring, file handling, audio recording, and command execution.

T1546.015Component Object Model HijackingEvidence1

"creates overlay pages for Binance and Trust Wallet" and "Requests Draw Over Other Apps permission (overlay)"

Privilege Escalation

2 techniques

T1546.008Accessibility FeaturesEvidence1

T1546.015Component Object Model HijackingEvidence1

"creates overlay pages for Binance and Trust Wallet" and "Requests Draw Over Other Apps permission (overlay)"

Stealth

2 techniques

T1027Obfuscated Files or InformationEvidence1

"The initial APK file is packed... libludwwiuh.so... decrypt another ELF..." and "names are encrypted... using XOR (stack strings technique)"

T1036MasqueradingEvidence2

A fast growing Android malware campaign is using a framework called MiningDropper to push far more dangerous threats onto phones disguised as normal apps.

Credential Access

2 techniques

T1056Input CaptureEvidence3

"...keylogging..."

T1056.001KeyloggingEvidence2

Collection

3 techniques

T1056Input CaptureEvidence3

"...keylogging..."

T1056.001KeyloggingEvidence2

T1113Screen CaptureEvidence3

"...screen recording..."

Command and Control

3 techniques

T1071.001Web ProtocolsEvidence1

T1105Ingress Tool TransferEvidence2

"...display of a counterfeit Play Store update screen that permits further payload delivery"

T1219Remote Access ToolsEvidence2

Exfiltration

2 techniques

T1020Automated ExfiltrationEvidence1

"...credential exfiltration..."

T1041Exfiltration Over C2 ChannelEvidence1

INDICATORS OF COMPROMISE

IOCs tracked for this family

14 indicators attributed across vendor reports, sandbox runs, and researcher write-ups. Full values are available in Mallory.

View more in app

Network

8 tracked

IPs, domains, and DNS infrastructure linked to this family.

Other

6 tracked

Other indicator types observed in public reporting.

TypeValueLatest sighting

domain●●●●●●●●●●●●View more in app10 days ago

ip.v4●●●●●●●●●●●●View more in app10 days ago

domain●●●●●●●●●●●●View more in app29 days ago

domain●●●●●●●●●●●●View more in app2 months ago

ACTIVITY FEED

Recent activity

5 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.

5 SOURCESView more in app

cyber security newsNews

Apr 20, 2026

Hackers Use MiningDropper to Deliver Infostealers, RATs, and Banking Malware on Android

An Android remote access trojan delivered by MiningDropper. The content says it can steal credentials through WebView injections, log keystrokes, exfiltrate data, abuse Accessibility Services, and support real-time remote control, screen monitoring, file handling, audio recording, and command execution.

cyble blogNews

Apr 15, 2026

MiningDropper: A Global Android Malware Campaign

An Android remote access trojan delivered by MiningDropper that supports credential theft, WebView-based injections, keylogging, data exfiltration, abuse of Accessibility Services, device unlocking, simulated user interaction, permission granting, file management, audio recording, and WebSocket-based real-time remote control.

the hacker newsNews

Mar 12, 2026

Six Android Malware Families Target Pix Payments, Banking Apps, and Crypto Wallets

Android remote access trojan used as a payload in BeatBanker campaigns; provides comprehensive remote control, persistence, and surveillance; assessed as an evolution of CraxsRAT/CypherRAT/SpySolr code lineage.

securelistNews

Mar 10, 2026

BeatBanker: both banker and miner for Android | Securelist

Highly obfuscated Android remote administration tool (MaaS) providing full remote control and surveillance (permission granting, silent install, persistent execution, overlays to hide notifications, credential/PIN/pattern capture, camera access, keystroke capture, GPS tracking, and real-time screen recording/streaming). Delivered as the final payload by newer BeatBanker variants.

+1 more in the timeline

What this page doesn’t show

The version that knows your environment.

This page is what’s public. Mallory adds the parts that aren’t: which of your assets match these IOCs, which detections are missing, which campaigns to expect next, and what to do in the next 30 minutes.

Start free trial

IOC matching14

Match every observed IP, domain, and hash against your live telemetry.

Threat actor attribution1

Named campaigns wielding this family, with evidence pinned to each claim.

Exploited vulnerabilities

CVEs this family uses for access and lateral movement.

Detection signatures

YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.

MITRE ATT&CK mapping13

Every documented technique, ranked by evidence weight.

Researcher chatter

Reddit, Mastodon, and CTI community discussion around this family.