Summaries
BTMOB Android RAT-as-a-Service — Custom Phishing Payloads at Scale
BTMOB is an Android RAT sold as a malware-as-a-service platform with a builder interface for generating customized phishing payloads targeting Brazilian and Latin American mobile users.
View on Graph
Summary
BTMOB is an Android remote access trojan (RAT) sold as a malware-as-a-service (MaaS) platform that includes a builder interface for generating customized phishing payloads. First documented by Cyble in February 2025 and subsequently analyzed by ESET and WatchGuard, the malware has evolved through multiple versions — currently at v4.5.5 — with expanding capabilities and a growing customer base.
The platform is openly advertised on the clearweb and sold through private Telegram channels. Pricing is $700 per month for a subscription or $5,000 for a lifetime license. The APK builder allows customers to select permissions, define actions (disable Google Play, hide the app icon, prevent sleep mode), and customize phishing lures for specific regions — all without writing any code.
BTMOB capabilities include keystroke logging, screenshot capture, financial transaction interception, remote control via Android Accessibility Services, and automated credential theft through HTML injection overlays when targeted apps are opened. It can also unlock devices, capture Alipay PINs, and exfiltrate contact lists, call logs, and SMS data.
Distribution relies on phishing websites masquerading as streaming services and cryptocurrency mining platforms. Victims are redirected to fake Google Play Store listings that prompt APK installation. Once installed, BTMOB abuses Accessibility Services to grant itself elevated permissions without further user interaction.
The malware is primarily active in Brazil and Latin America, though its phishing-based delivery and device takeover capabilities pose risks beyond the region. ESET tracks BTMOB as an evolution of the SpySolr, CypherRAT, and CraxsRAT malware families. In one observed campaign, threat actors used an Argentinian government agency as a lure.
Why It Matters
BTMOB represents the commoditization of Android device compromise. The builder interface means that anyone — not just skilled malware developers — can generate tailored phishing payloads for specific targets, regions, or campaigns. The rapid pace of new payload generation undermines signature-based detection. For organizations with mobile workforces or BYOD policies, BTMOB demonstrates that mobile device compromise is no longer the domain of sophisticated nation-state actors; it is accessible to any threat actor willing to pay a subscription.
Defender Takeaways
- Review mobile device management (MDM) policies — ensure sideloading is restricted and Google Play Protect is enforced on corporate devices.
- Monitor for unauthorized Accessibility Service grants on Android devices — this is a common TTP for mobile RATs.
- Educate users about the risks of installing apps from outside the official Google Play Store, particularly from phishing links.
- Consider mobile threat defense solutions that can detect anomalous accessibility service usage and overlay attacks.
- If operating in Latin America, treat BTMOB as an active threat requiring specific monitoring for fake streaming/crypto websites targeting your industry.
Source
Title: BTMOB Android malware service generates custom phishing payloads — BleepingComputer/ESET
URL: https://www.bleepingcomputer.com/news/security/btmob-android-malware-service-generates-custom-phishing-payloads/
Related
- Social Engineering — detection and response for T1566 techniques
- Malware Analysis Fundamentals — detection and response for T1204 techniques