Malware as a Service with a Built in App Builder
A new Android remote access trojan called BTMOB is being offered to cybercriminals through a malware as a service model. The platform includes a builder interface that allows attackers to generate custom malware payloads tailored to specific phishing campaigns without needing any coding skills. Cybersecurity firm ESET reports that BTMOB is openly advertised on the clear web and sold through private Telegram channels.
The service gives customers a wide range of features including data theft, financial transaction interception, screenshot capture, and remote control over infected devices. The APK builder lets users select which permissions the malicious app requests upon installation, hide the app icon to make removal difficult, disable Google Play, and prevent the device from entering sleep mode.
Distribution and Current Activity
BTMOB is primarily active in Brazil and Latin America, though it is not a new threat. Security researchers first analyzed the malware in early 2025, and it appears to be an evolution of the SpySolr malware family. The trojan is distributed through phishing websites that impersonate streaming services, cryptocurrency mining platforms, and even a government agency in Argentina. These sites direct potential victims to fake Google Play pages that host the malicious applications.
Once installed, BTMOB abuses Android Accessibility Services to gain elevated permissions and additional system access without further user interaction. The malware platform also helps operators generate localized phishing lures to match specific campaign topics. ESET notes that while they track the threat with static detection rules, the rapid generation of new payloads can undermine single layer defenses. Android users are advised to only install apps from the official Google Play Store, use Play Protect, and revoke unnecessary permissions like Accessibility access.
Source: BleepingComputer
