BTMOB Android malware service generates custom phishing payloads

HomeNewsSecurityBTMOB Android malware service generates custom phishing payloads

BTMOB Android malware service generates custom phishing payloads By Bill Toulas May 28, 2026 05:10 PM 0 An Android remote access trojan named BTMOB is offered to cybercriminals with a builder interface for generating malware payloads tailored to phishing lures. The malware provides a wide set of features that includes stealing specific data, intercepting financial transactions, capturing screenshots, and remote control capabilities. Cybersecurity company ESET says that BTMOB is openly advertised on the clearweb and operates as a malware-as-a-service (MaaS) platform. The APK builder included in the offer provides easy customization of the payload without any need to code. Customers can select from a set of permissions the APK requests upon installation, and define what actions the app should take (e.g., disable Google Play, hide its icon to make it more difficult to remove from the device, or prevent sleep mode). BTMOB's payload builderSource: ESET It should be noted that BTMOB is mostly active in Brazil and Latin America. It is not a new Android trojan, as ANYRUN analyzed it in February 2025, and threat intelligence and digital risk protection company Cyble documented it as an advanced Android malware. At the time, Cyble spotted about 15 samples of BTMOB 2.5 in nearly two weeks, indicating that the author was actively developing the malware. According to ESET researchers, sales are conducted in private Telegram channels. Threat actors can get it with a monthly subscription of $700 monthly subscription, or they can pay $5,000 for a lifetime license. BTMOB clearnet siteSource: ESET BTMOB appears to be an evolution of the SpySolr malware family and is distributed via phishing websites masquerading as streaming services and cryptocurrency mining platforms. ESET reports that potential victims are redirected to portals mimicking Google Play and prompted to download the fake apps. The Researchers Johnk3r and Merl recently spotted BTMOB campaigns that used an Argentinian government agency as a lure. Malicious apps on fake Google Play sitesSource: Merl The malware platform also helps operators generate custom, localized phishing lures to match the campaign’s topic. Once installed, it abuses Android Accessibility Services to obtain elevated permissions and additional system access without further user interaction. Although ESET is tracking the threat and updates static detection rules accordingly, the rapid generation of new payloads can undermine the effectiveness of single-layered defenses. Android users are recommended to install only apps from the official Google Play Store on their phones, scan with Play Protect, and revoke risky and powerful permissions, such as Accessibility access, if not explicitly needed.

The Validation Gap: Automated Pentesting Answers One Question. You Need Six. Automated pentesting tools deliver real value, but they were built to answer one question: can an attacker move through the network? They were not built to test whether your controls block threats, your detection rules fire, or your cloud configs hold.This guide covers the 6 surfaces you actually need to validate. Download Now

Related Articles: Android 17 to expand banking scam call and privacy protectionsScarCruft hackers push BirdCall Android malware via game platformTelegram Mini Apps abused for crypto scams, Android malware delivery'NoVoice' Android malware on Google Play infected 2.3 million devicesFBI warns of in-person data theft attacks from extortion gang Android

Banking Trojan

BTMOB

MaaS

Malware-as-a-Service

Mobile

Phishing

Bill Toulas Bill Toulas is a tech writer and infosec news reporter with over a decade of experience working on various online publications, covering open-source, Linux, malware, data breach incidents, and hacks.

Post a Comment Community Rules You need to login in order to post a comment Not a member yet? Register Now