BTMOB builder lets criminals forge phishing-ready Android malware

BTMOB Android – ESET says BTMOB is openly advertised as malware-as-a-service on the clearweb, complete with an APK builder that lets operators customize permissions and stealth tactics for phishing lures. The Android remote access trojan is mostly active in Brazil and Latin A

The offer looks simple enough to click through—until you realize what it’s built to produce.

ESET reports that an Android remote access trojan named BTMOB is marketed to cybercriminals with a builder interface for generating malware payloads tailored to phishing lures. The pitch frames it like a tool kit, not a secret—something customers can configure without writing code.

BTMOB’s capabilities go far beyond “remote control” as a buzzword. ESET says the malware can steal specific data, intercept financial transactions, capture screenshots, and take remote control actions on an infected Android device.

What turns the service into a business is the APK builder included in the offer. ESET says the builder makes it easy to customize what the final malicious app requests from the victim at installation. Customers can choose from a set of permissions the APK asks for. and define what the app should do once it lands on the phone. That includes options like disabling Google Play, hiding its icon to make it harder to remove, and preventing sleep mode.

ESET says BTMOB is openly advertised on the clearweb and operates as a malware-as-a-service (MaaS) platform. The company also notes that BTMOB is mostly active in Brazil and Latin America. and emphasizes that it is not brand new. ANYRUN analyzed it in February 2025. and threat intelligence and digital risk protection company Cyble documented it as an advanced Android malware.

Cyble’s work, ESET says, found signs the operator was actively developing it. About 15 samples of BTMOB 2.5 were observed in nearly two weeks, pointing to ongoing updates rather than a stagnant product.

The commercial details add another layer of urgency: ESET reports that sales are conducted in private Telegram channels. Threat actors can buy access with a monthly subscription of $700, or they can pay $5,000 for a lifetime license.

ESET also describes how BTMOB spreads—often by disguising itself as something people feel safe downloading. The trojan appears to be an evolution of the SpySolr malware family and is distributed via phishing websites masquerading as streaming services and cryptocurrency mining platforms. ESET says potential victims are redirected to portals mimicking Google Play, where they are prompted to download fake apps.

The lures aren’t limited to generic bait, either. ESET says BTMOB campaigns have been seen using localized phishing content that matches a campaign’s topic. In a recent case, researchers Johnk3r and Merl spotted BTMOB campaigns that used an Argentinian government agency as a lure.

Once installed. ESET says the malware abuses Android Accessibility Services to obtain elevated permissions and additional system access without further user interaction. That’s a key operational advantage for attackers running a service like BTMOB: the platform can generate new. localized payloads quickly enough that defenders relying on a single layer of filtering may fall behind.

ESET says it is tracking the threat and updating static detection rules accordingly. But the company warns that rapid payload generation can undermine defenses that depend on one-time detection approaches.

For Android users, the recommended steps are blunt and practical: install apps only from the official Google Play Store, scan with Play Protect, and revoke risky and powerful permissions—such as Accessibility access—if they aren’t explicitly needed.

BTMOB Android malware malware-as-a-service phishing ESET APK builder remote access trojan Accessibility Services Telegram Brazil Latin America