BTMOB Android Malware Service Generates Custom Phishing Payload

An Android distant entry Trojan named BTMOB is offered to cybercriminals with a builder interface that generates malware payloads tailor-made to phishing lures.

This malware provides a variety of performance together with stealing sure information, intercepting monetary transactions, capturing screenshots, and distant management capabilities.

Cybersecurity agency ESET says BTMOB is brazenly marketed on the clear net and operates as a malware-as-a-service (MaaS) platform. The APK builder included within the provide lets you simply customise your payload with none coding required.

Clients can select from a set of permissions that the APK requests upon set up and outline the actions that the app will take, corresponding to disabling Google Play, hiding the icon to make it more durable to take away from the gadget, and stopping sleep mode.

Please observe that BTMOB is primarily energetic in Brazil and Latin America. This isn’t a brand new Android Trojan, as ANYRUN analyzed it in February 2025 and risk intelligence and digital danger safety firm Cyble documented it as superior Android malware.

On the time, Cyble found about 15 samples of BTMOB 2.5 in nearly two weeks. This means that the writer was actively creating the malware.

In response to ESET researchers, the sale will happen on a personal Telegram channel. Risk actors can get it with a month-to-month subscription for $700 per 30 days or pay $5,000 for a perpetual license.

BTMOB seems to be an evolution of the SpySolr malware household and is distributed through phishing web sites disguised as streaming providers and cryptocurrency mining platforms.

ESET reviews that potential victims are redirected to a portal that mimics Google Play and prompted to obtain a faux app. of

Researchers Johnk3r and Merl lately found a BTMOB marketing campaign that used Argentine authorities companies as decoys.

The malware platform additionally helps operators generate customized phishing lures which are localized to the marketing campaign theme. As soon as put in, it exploits Android Accessibility Providers to achieve elevated permissions and extra system entry with out consumer interplay.

Though ESET tracks threats and updates static detection guidelines accordingly, the fast technology of recent payloads can undermine the effectiveness of single-layer defenses.

We suggest that Android customers solely set up apps from the official Google Play Retailer on their telephones, scan them with Play Defend, and revoke harmful and highly effective permissions, corresponding to accessibility entry, if they aren’t explicitly wanted.