GPT Trade: Fake Google Play Store drops BTMob Spyware and UASecurity Miner on Android Devices

Fake Google Play Store

During D3Lab’s continuous monitoring of newly registered domains through our Brand Monitor service, we identified a domain crafted to impersonate the Google Play Store.

Fake Google Play Store

The site advertises a supposed application called “GPT Trade”, presented as an AI-powered trading assistant and visually styled to resemble official ChatGPT / OpenAI branding. Unsuspecting users are encouraged to download an APK directly from the page: https://playgoogle-gpttrade[.]com/GPT%20Trade.apk

Our investigation revealed that GPT Trade is not a legitimate application, but a sophisticated Android dropper engineered to generate, prepare, and install multiple secondary malware payloads, including:

  • BTMob – a powerful spyware family
  • UASecurity Miner – a persistence-oriented component tied to a suspicious Android packing service

The overall structure of the attack shows a modern, modular approach where threat actors rely on packer-as-a-service platforms, Telegram bots, and impersonation techniques to distribute malware effectively.

From Fake App Store to Infection: How the GPT Trade Dropper Works

Captcha Request

Once installed and opened, the GPT Trade application displays a fake captcha screen. To the user, this appears to be a benign verification step. In the background, however, the application immediately begins its real activity.

During this stage, the dropper:

  1. Creates multiple directories inside its private storage
  2. Unpacks or decrypts several embedded components
  3. Generates new APK files in “processed” form
  4. Prepares two distinct malicious packages

Two XML preference files reveal the dropper’s behavior clearly:

/shared_prefs/SplitApkInstallerminer.xml  
/shared_prefs/SplitApkInstalleruser.xml

These files contain paths to dynamically created payloads, confirming that GPT Trade acts as a multi-stage dropper, not a standalone app.

Once the captcha is completed, the app triggers several dex2oat32 processes to finalize the generated APKs and silently installs both malware packages:

  • mooz.balkcigol.rotinom (BTMob spyware)
  • com.xenlyqw.jkkcyubcust (UASecurity Miner)

Finally, it opens chatgpt.com in the system browser — a social engineering technique intended to reinforce user trust and mask the compromise.

Malicious Component #1: UASecurity Miner

Package: com.xenlyqw.jkkcyubcust

SHA256: 918f002a41f9551d48ece999ccba504fcf7596017d9566c07c5335fe0081effe

This component communicates with:

  • 147[.]93[.]153[.]119 (multiple ports: 50904, 50912, 50916, 50920)
  • https://aptabase[.]fud2026[.]xyz:8443/api/v0/event

Notably, the domain aptabase[.]fud2026[.]xyz resolves to the same IP, indicating a dedicated C2 server.

The manifest shows services designed for continuous persistence, including:

  • Foreground services
  • Boot receivers
  • Firebase messaging services
  • Keep-alive modules

Combined, these elements suggest a component dedicated to maintaining remote control and telemetry collection.

Malicious Component #2: BTMob Spyware

Package: mooz.balkcigol.rotinom

SHA256: 7f005c10f80372311e9c038526d81d931672d15c644fef2a77eefd67c6235917

BTMob is a well-known and highly invasive Android spyware family. In this case, the sample contacts:

  • http://95[.]164[.]53[.]100/private/yarsap_80541[.]php
  • http://95[.]164[.]53[.]100:8080/

The manifest includes an extremely broad set of permissions, such as:

  • SMS read/send
  • Contact list access
  • Screen recording and media projection
  • Accessibility service binding
  • Camera and microphone access
  • Overlay windows
  • Exact alarm scheduling
  • App installation/uninstallation
  • File system read/write
  • Location data (GPS, network, background)

This extensive set enables complete device takeover: credential theft, overlay attacks, keylogging, call or screen interception, and persistent surveillance.

Infrastructure Links: The Role of UASecurity Tools

APK Protection by UASecurity Tools

Before installing the secondary malware, the GPT Trade dropper contacts: timeserver[.]uasecurity[.]org (207[.]90[.]195[.]25) – port 2000

This domain is part of UASecurity Tools, a service that has been active since August 2025 and offers Android APK “protection” through a website and a Telegram bot.

OSINT confirmed the existence of:

  • Website: https://access[.]uasecurity[.]org/
  • Telegram bot: @android_protect_bot
  • Official channel: t.me/protect_bot_official
  • YouTube video promoting an Android C2 tool

The UASecurity platform provides APK packing and obfuscation services. Despite presenting itself as a legitimate “intellectual property protection” tool, its packer is clearly being abused by malware developers.

The behavior of GPT Trade — generating “original” and “processed” directories, producing installers dynamically, and using a captcha trigger — strongly matches installers created by this packer.

There is no evidence that UASecurity Tools directly distributes malware. However, the misuse of their service within this campaign highlights how “developer tools” can be co-opted to support malicious operations.

Conclusion

The GPT Trade campaign demonstrates a mature and modular Android attack chain:

  • Social engineering through a fake Google Play interface
  • A dropper acting as an APK generator
  • Installation of two independent malware families
  • Use of a third-party APK packer to evade detection
  • Multiple C2 endpoints tied to distinct functionalities

This approach reflects a growing trend in the Android threat landscape: attackers increasingly rely on outsourced infrastructure, Telegram-based distribution systems, and packer-as-a-service tools to streamline and scale their operations.

D3Lab will continue to monitor the evolution of these techniques and their associated infrastructures.

Disclaimer

Installing applications from untrusted sources poses significant security risks.

Always download mobile applications exclusively from official and verified app stores, and avoid APK files distributed through websites, links, or third-party channels.

Indicators of Compromise (IoCs)

Dropper – GPT Trade (com.jxtfkrsl.bjtgsb)

  • Hashes:
    • MD5: 25e3c200de4868d754a3b4f4f09ec2bf
    • SHA256: 0a542751724a432a8448324613e0ce10393e41739a1800cbb7d5a2c648fcdc35
  • Contacted domain: timeserver[.]uasecurity[.]org (207.90.195.25:2000)
  • Distribution domain: playgoogle-gpttrade[.]com
  • APK download URL: https://playgoogle-gpttrade[.]com/GPT%20Trade.apk

Payload #1 – UASecurity Miner (com.xenlyqw.jkkcyubcust)

  • Hashes:
    • MD5: 526e3f4426359b4b31f3d746acfb4d13
    • SHA256: 918f002a41f9551d48ece999ccba504fcf7596017d9566c07c5335fe0081effe
  • C2 Infrastructure:
    • IP: 147[.]93[.]153[.]119 (multiple ports)
    • Domain: aptabase[.]fud2026[.]xyz

Payload #2 – BTMob Spyware (mooz.balkcigol.rotinom)

  • Hashes:
    • MD5: 4ccb99a365b4a42e8b565f8058d059bc
    • SHA256: 7f005c10f80372311e9c038526d81d931672d15c644fef2a77eefd67c6235917
  • C2 Infrastructure:
    • http://95[.]164[.]53[.]100/private/yarsap_80541.php
    • http://95[.]164[.]53[.]100:8080/
/da
Potrebbero interessarti
Attività insolita dell’account Microsoft? No, è il Cerber Ransomware!
Falsa querela diffonde Malware via eMail
Malware Anubis Android Banking diffuso tramite falsa promozione TIM
Nomi di dominio ingannevoli per distribuire falsa applicazione Whatsapp Android
Falso sito e-Covid SINFONIA diffonde malware
A Nexi phishing campaign spread malicious App via official Google Play Store
Agent Tesla: Campagna malware con dominii creati Ad Hoc
Falso avviso di spedizione del corriere GLS