BTMOB Android Malware Powers Full Device Takeover Through Phishing and Fake App Stores

BTMOB Android Malware Expands Threat With Full Device Takeover and Financial Theft Capabilities

Cybersecurity researchers have raised concerns over a rapidly evolving Android remote access trojan (RAT) known as BTMOB, which is being used in phishing campaigns to steal data, conduct financial fraud, and gain full control of infected devices.

According to ESET, BTMOB is believed to be based on the SpySolr malware family and is primarily distributed through phishing lures that impersonate popular services such as streaming platforms, cryptocurrency-related tools, and other widely used applications.

The malware is offered as a malware-as-a-service product and includes an APK builder interface that allows cybercriminals to easily create customized malicious apps without coding knowledge. This enables attackers to tailor phishing campaigns to specific regions by mimicking local brands or government agencies to increase the likelihood of infection.

Security researchers say the malware is actively promoted through public-facing websites that redirect users to Telegram channels, as well as social media platforms such as X and Instagram. At one point, related files were even briefly distributed for free on a dark web forum before the site went offline.

BTMOB operators sell access to the toolkit for around $5,000 for a lifetime license, along with additional monthly support fees. This business model has helped expand its use among cybercriminal groups.

Attack chains typically begin with phishing messages that direct victims to fake websites imitating legitimate services. These sites then redirect users to counterfeit app stores that deliver malicious APK files disguised as trusted applications.

Once installed, BTMOB requests extensive permissions and abuses Android Accessibility Services to escalate privileges, often without requiring any additional user interaction.

Unlike traditional banking trojans that primarily focus on stealing financial credentials, BTMOB provides attackers with broader capabilities, including data exfiltration, screen capture, device monitoring, and full remote control of infected devices.

Researchers also note that the malware is rapidly evolving, with multiple variants appearing in short time spans. However, certain infrastructure patterns remain consistent across versions, allowing analysts to track its activity.

Although BTMOB has been most frequently observed in campaigns targeting users in Latin America, cybersecurity experts warn that its reach and potential impact extend globally.