BTMOB Android malware service generates custom phishing payloads
Published: (May 28, 2026 at 05:10 PM EDT)
2 min read
Source: Bleeping Computer
Source: Bleeping Computer
An Android remote‑access trojan named BTMOB is offered to cybercriminals with a builder interface for generating malware payloads tailored to phishing lures. The platform provides a wide set of capabilities, including data theft, interception of financial transactions, screenshot capture, and remote control.
Overview
- Malware‑as‑a‑Service (MaaS) – advertised on the clearweb; the APK builder allows easy customization without any coding.
- Customization – customers can choose the permissions the APK requests, define actions such as disabling Google Play, hiding the app icon, or preventing sleep mode.
- Target region – primarily active in Brazil and Latin America.
BTMOB’s payload builder
Source: ESET
History & Attribution
- BTMOB is not a new trojan. It was analyzed by ANY.RUN in February 2025 and documented by Cyble as an advanced Android malware.
- Cyble reported about 15 samples of BTMOB 2.5 within two weeks, indicating active development.
- ESET researchers describe BTMOB as an evolution of the SpySolr malware family.
Distribution & Campaigns
- Sales are conducted in private Telegram channels. Pricing options include a $700 monthly subscription or a $5,000 lifetime license.
- Distribution is carried out via phishing websites masquerading as streaming services or cryptocurrency‑mining platforms. Victims are redirected to portals that mimic Google Play and are prompted to download fake apps.
BTMOB clearnet site
Source: ESET
- Recent campaigns observed by researchers Johnk3r and Merl used an Argentinian government agency as a lure, delivering malicious apps on counterfeit Google Play pages.
Malicious apps on fake Google Play sites
Source: Merl
Technical Details
- The platform can generate custom, localized phishing lures that match the campaign’s topic.
- Once installed, BTMOB abuses Android Accessibility Services to obtain elevated permissions and additional system access without further user interaction.
Detection & Mitigation
- ESET continuously updates static detection rules, but the rapid generation of new payloads can undermine single‑layered defenses.
- Recommendations for Android users:
- Install apps only from the official Google Play Store.
- Enable and rely on Play Protect.
- Revoke risky permissions, especially Accessibility access, unless explicitly required.