BTMOB Android Malware Service Generates Custom Phishing Payloads

BTMOB is an Android remote access trojan offered as malware‑as‑a‑service, featuring a builder interface that lets cybercriminals generate custom phishing payloads.

The builder allows users to select requested permissions and define post‑install actions such as disabling Google Play, hiding the app icon, or preventing sleep mode, and then compile an APK without coding. ESET reports that BTMOB is primarily active in Brazil and Latin America, with sales conducted via private Telegram channels at $700 per month or $5,000 lifetime. The trojan, an evolution of the SpySolr family, is distributed through phishing sites masquerading as streaming services or cryptocurrency mining platforms, and it abuses Android Accessibility Services to gain elevated permissions.

Once installed, BTMOB can steal financial data, capture screenshots, and remotely control the device, while its rapid payload generation undermines single‑layer defenses. ESET continuously updates static detection rules, but the fast evolution of payloads requires defenders to enforce strict app permission policies and educate users to install only from the official Play Store. The malware’s presence in campaigns that target an Argentinian government agency demonstrates its potential for high‑profile phishing operations.