Home News BTMOB Malware-as-a-Service Enables Cybercriminals to Launch Custom Android Phishing Attacks
News

BTMOB Malware-as-a-Service Enables Cybercriminals to Launch Custom Android Phishing Attacks

45

BTMOB Android Malware-as-a-Service Generates Custom Phishing Payloads for Cybercriminals

Cybersecurity researchers have uncovered a malicious Android remote access trojan (RAT) called BTMOB that is being sold as a malware-as-a-service (MaaS) platform, allowing cybercriminals to easily generate customized phishing payloads.

According to cybersecurity firm ESET, BTMOB is openly advertised on the clearnet and provides an easy-to-use builder interface that lets attackers create tailored malicious APK files without any programming knowledge. The builder allows users to select requested app permissions and define malicious behaviors such as disabling Google Play, hiding the app icon to avoid detection, or preventing the device from entering sleep mode.

Once installed on a victim’s device, BTMOB gives attackers extensive control, including the ability to steal sensitive data, intercept financial transactions, capture screenshots, and remotely operate the infected device.

The malware service is believed to be primarily active in Brazil and other parts of Latin America. It is not entirely new; earlier research by security firms such as ANYRUN and Cyble identified previous versions of the malware, including BTMOB 2.5, and noted rapid development activity with multiple samples appearing in short timeframes.

Researchers say BTMOB is being distributed through phishing websites that imitate legitimate platforms such as streaming services and cryptocurrency-related pages. Victims are tricked into downloading fake applications that often resemble Google Play Store interfaces.

Recent campaigns have even used government-related themes as lures, including impersonation of an Argentinian government agency to increase credibility and trick users into installing the malicious app.

ESET also found that the malware’s operators run private sales channels on Telegram, offering access to the tool for around $700 per month or a $5,000 lifetime license.

BTMOB is considered an evolution of the SpySolr malware family. It abuses Android Accessibility Services to gain elevated permissions, enabling attackers to perform actions on infected devices without requiring additional user interaction.

Security researchers warn that the platform’s ability to rapidly generate new customized payloads makes it harder for traditional, single-layer security defenses to detect and block all variants effectively.

Leave a comment

Leave a Reply

Your email address will not be published. Required fields are marked *

Related Articles

News

23andMe Agrees to $18 Million Settlement Over 2023 Genetic Data Breach

Genetic testing company 23andMe, now operating as Chrome Holding Co., has agreed...

News

Two Scattered Spider Hackers Sentenced to Prison Over Major TfL Cyberattack

Two members of the Scattered Spider cybercrime group have been sentenced to...

News

Dutch Police Bust International Investment Fraud Ring Linked to Over €100 Million in Monthly Scams

Dutch police have arrested multiple suspects believed to be part of an...

News

Spanish Police Dismantle €140 Million Cyber Fraud Network, Four Arrested

Spanish police have dismantled a major cybercrime and money-laundering network that allegedly...