BTMOB Malware-as-a-Service Enables Cybercriminals to Launch Custom Android Phishing Attacks

BTMOB Android Malware-as-a-Service Generates Custom Phishing Payloads for Cybercriminals

Cybersecurity researchers have uncovered a malicious Android remote access trojan (RAT) called BTMOB that is being sold as a malware-as-a-service (MaaS) platform, allowing cybercriminals to easily generate customized phishing payloads.

According to cybersecurity firm ESET, BTMOB is openly advertised on the clearnet and provides an easy-to-use builder interface that lets attackers create tailored malicious APK files without any programming knowledge. The builder allows users to select requested app permissions and define malicious behaviors such as disabling Google Play, hiding the app icon to avoid detection, or preventing the device from entering sleep mode.

Once installed on a victim’s device, BTMOB gives attackers extensive control, including the ability to steal sensitive data, intercept financial transactions, capture screenshots, and remotely operate the infected device.

The malware service is believed to be primarily active in Brazil and other parts of Latin America. It is not entirely new; earlier research by security firms such as ANYRUN and Cyble identified previous versions of the malware, including BTMOB 2.5, and noted rapid development activity with multiple samples appearing in short timeframes.

Researchers say BTMOB is being distributed through phishing websites that imitate legitimate platforms such as streaming services and cryptocurrency-related pages. Victims are tricked into downloading fake applications that often resemble Google Play Store interfaces.

Recent campaigns have even used government-related themes as lures, including impersonation of an Argentinian government agency to increase credibility and trick users into installing the malicious app.

ESET also found that the malware’s operators run private sales channels on Telegram, offering access to the tool for around $700 per month or a $5,000 lifetime license.

BTMOB is considered an evolution of the SpySolr malware family. It abuses Android Accessibility Services to gain elevated permissions, enabling attackers to perform actions on infected devices without requiring additional user interaction.

Security researchers warn that the platform’s ability to rapidly generate new customized payloads makes it harder for traditional, single-layer security defenses to detect and block all variants effectively.