Researched by: Vishnu Madhav and Rajat Goyal
On February 12, Cyble reported the discovery of a new variant of the BTMOB spyware, named BTMOB RAT v2.5. This malicious software is being distributed through deceptive phishing sites impersonating popular streaming services like iNat TV and fraudulent cryptocurrency mining platforms (Fig.1).
Subsequently, our zLabs team conducted a more in-depth investigation and uncovered several additional versions of the spyware: v2.6, v2.7, v2.8, v2.9 and the most recent version v3.1 and v3.2. This latest version is being disguised as an update and is being spread through various phishing sites. In total, our researchers uncovered 32 droppers and 44 payloads with the droppers posing as legitimate applications such as GB whatsapp, chrome, Roku, Bradesco, Kaspersky, Venmo and several others.
The dropper is delivered through fake websites carefully designed to trick unsuspecting users. Our investigation uncovered 3 newly active websites involved in this campaign. Notably, one of the sites specifically targets the Turkish Ministry of Justice, as shown in Figure 2.
During our analysis, the team discovered open directories being used to distribute the malware, as shown in Figure 3.
Within these open directories we also found the presence of several Windows executable files, which appear to be associated with ConnectWise, a legitimate remote administration tool commonly used by IT professionals for remote support and system management. The fact that these executables were present alongside the malware samples raises concerns. It suggests that the attackers might misuse these tools to gain unauthorized access to compromised systems or to make their malicious activity look like normal administrative activity.
As we noted in our original blogpost, earlier versions of the spyware were delivered as standalone payloads. However, this latest version has changed its approach and now uses dropper as its delivery method.
Once the dropper is installed, the malware employs a deceptive tactic to lure the victim into downloading its payload onto the mobile device. It presents a fake update screen designed to appear legitimate, tricking the user into starting the download of the malicious update (Fig. 4).
The actual payload of the malware is hidden within the Assets folder of the application. When the user clicks on the fake update, the malware uses a session-based installation process to install the payload. As part of this process, the malware will ask for accessibility permission. If granted, the malware can then grant itself additional permissions without the user’s direct knowledge or consent (Fig. 5).
As seen in Figure 6 the latest malware variant clearly states its version number within the code.. Additionally, this release combines elements from previous iterations with newly created capabilities, which tells us that the threat actors behind this malware are actively enhancing its capabilities effectively.
One of the key features that has been carried over from earlier versions is its ability to steal the device’s lock screen credentials, including pattern, password, and PIN. To perform this, the malware deploys an overlay attack.
The overlay is stored within the application’s assets directory in an encrypted format. This tactic helps it avoid detection during static analysis. Once decrypted, the overlay can dynamically change its appearance to look like the normal lock screen configured on the device. This capability enables the malware to target all three authentication methods effectively (Fig. 7).
One of the notable new capabilities introduced in the latest malware variant is its interaction with the Alipay application (com.eg.android.AlipayGphone). This new feature enables an overlay-based attack designed to capture the Alipay PIN by abusing Android’s Accessibility Service.
The malware monitors the UI for the presence of Alipay’s PIN pad, and once detected, overlays transparent views over each numeric button.
Each overlay captures the user’s tap, triggering a simulated click on the actual button using gesture injection, and logging the corresponding digit. The captured PIN is labeled with a context string “Alipay|PIN|<digit>” and exfiltrated in real time.
After each input, the overlay is quickly restored, allowing the malware to stealthily capture all digits without disrupting the app’s normal behaviour or raising user suspicion.
To help our customers and the industry understand the impact of this malware, Zimperium has compiled the following table containing the MITRE Tactics and Techniques as reference.
|
Tactic |
ID |
Name |
Description |
|
Initial Access |
Phishing |
Adversaries send malicious content to users in order to gain access to their device. |
|
|
Persistance |
Event Triggered Execution: Broadcast Receivers |
BTMOB listens for the BOOT_COMPLETED intent to automatically launch after the device restarts. |
|
|
Defense Evasion |
Masquerading: Match Legitimate Name or Location |
Malware pretending to be a genuine app |
|
|
Input Injection |
Malware can mimic user interaction, perform clicks and various gestures, and input data |
||
|
Obfuscated Files or Information: Software Packing |
BTMob uses string obfuscation |
||
|
Application Discovery |
Collects installed application package name list to identify target |
||
|
Hide Artifacts: Suppress Application Icon |
Hides application icon |
||
|
Credential Access |
Clipboard Data |
It extracts data stored on the clipboard. |
|
|
Input Capture: Keylogging |
It has a keylogger feature |
||
|
Input Capture: GUI Input Capture |
It is able to get the shown UI. |
||
|
Discovery |
Software Discovery |
Malware collects installed application package list |
|
|
System Information Discovery |
The malware collects basic device info. |
||
|
File and Directory Discovery |
BTMOB enumerates files and directories on external storage |
||
|
Process Discovery |
The malware checks the currently running application in the foreground with the help of the Accessibility Service |
||
|
System Network Configuration Discovery |
Malware collects IP and SIM information |
||
|
Screen Capture |
Malware can record screen content |
||
|
Audio Capture |
Malware captures Audio recordings |
||
|
Protected User Data: Contact List |
It exports the device’s contacts. |
||
|
Protected User Data: SMS Messages |
Steals SMSs from the infected device |
||
|
Collection |
Input Capture: Keylogging |
Malware can capture keystrokes |
|
|
Input Capture: GUI Input Capture |
It is able to get the shown UI. |
||
|
Clipboard Data |
It has the ability to steal data from the clipboard. |
||
|
Data from Local System |
Collects files from external storage |
||
|
Command and Control |
Application Layer Protocol: Web Protocols |
BTMOB uses HTTP to communicate with the C&C server |
|
|
Exfiltration |
Exfiltration Over C2 Channel |
Sending exfiltrated data over C&C server |
|
|
Impact |
Input Injection |
It displays inject payloads like pattern lock |
|
|
SMS Control |
It can read SMS. |
The IOCs for this campaign can be found in this repository.