An Android remote access trojan named BTMOB is offered to cybercriminals with a builder interface for generating malware payloads tailored to phishing lures.
The malware provides a wide set of features that includes stealing specific data, intercepting financial transactions, capturing screenshots, and remote control capabilities.
Cybersecurity company ESET says that BTMOB is openly advertised on the clearweb and operates as a malware-as-a-service (MaaS) platform. The APK builder included in the offer provides easy customization of the payload without any need to code.
Customers can select from a set of permissions the APK requests upon installation, and define what actions the app should take (e.g., disable Google Play, hide its icon to make it more difficult to remove from the device, or prevent sleep mode).
BTMOB’s payload builder
Source: ESET
It should be noted that BTMOB is mostly active in Brazil and Latin America. It is not a new Android trojan, as ANYRUN analyzed it in February 2025, and threat intelligence and digital risk protection company Cyble documented it as an advanced Android malware.
At the time, Cyble spotted about 15 samples of BTMOB 2.5 in nearly two weeks, indicating that the author was actively developing the malware.
According to ESET researchers, sales are conducted in private Telegram channels. Threat actors can get it with a monthly subscription of $700 monthly subscription, or they can pay $5,000 for a lifetime license.
BTMOB clearnet site
Source: ESET
BTMOB appears to be an evolution of the SpySolr malware family and is distributed via phishing websites masquerading as streaming services and cryptocurrency mining platforms.
ESET reports that potential victims are redirected to portals mimicking Google Play and prompted to download the fake apps. The
Researchers Johnk3r and Merl recently spotted BTMOB campaigns that used an Argentinian government agency as a lure.
Malicious apps on fake Google Play sites
Source: Merl
The malware platform also helps operators generate custom, localized phishing lures to match the campaign’s topic. Once installed, it abuses Android Accessibility Services to obtain elevated permissions and additional system access without further user interaction.
Although ESET is tracking the threat and updates static detection rules accordingly, the rapid generation of new payloads can undermine the effectiveness of single-layered defenses.
Android users are recommended to install only apps from the official Google Play Store on their phones, scan with Play Protect, and revoke risky and powerful permissions, such as Accessibility access, if not explicitly needed.
Automated pentesting tools deliver real value, but they were built to answer one question: can an attacker move through the network? They were not built to test whether your controls block threats, your detection rules fire, or your cloud configs hold.
This guide covers the 6 surfaces you actually need to validate.
Download Now
