Close Menu
  • Home
  • News
  • Cyber Security
  • Internet of Things
  • Tips and Advice

Subscribe to Updates

Get the latest creative news from FooBar about art, design and business.

What's Hot

Iran-Linked MuddyWater Poses as Ransomware Gang to Mask Espionage

June 25, 2026

CISA Warns of Actively Exploited Joomla JCE Flaw Allowing PHP Code Execution

June 24, 2026

Researchers Trick AI Browsers Into Leaking Credentials

June 24, 2026
Facebook X (Twitter) Instagram
Thursday, June 25
Facebook X (Twitter) Instagram Pinterest Vimeo
Cyberwire Daily
  • Home
  • News
  • Cyber Security
  • Internet of Things
  • Tips and Advice
Cyberwire Daily
Home»News»BTMOB Android RAT Spreads Through No-Code Builder Tooling
News

BTMOB Android RAT Spreads Through No-Code Builder Tooling

Team-CWDBy Team-CWDMay 26, 2026No Comments3 Mins Read
Share Facebook Twitter Pinterest LinkedIn Tumblr Reddit Telegram Email
Share
Facebook Twitter LinkedIn Pinterest Email


An Android remote access trojan (RAT) that lets buyers build their own custom payloads without writing a line of code has been observed spreading through phishing campaigns across Brazil and beyond.

According to new analysis from ESET, the malware, known as BTMOB, pairs phishing-based delivery with a packaged app-building tool and full device takeover.

First documented in February 2025, BTMOB evolved from the earlier SpySolr family and extends beyond a typical banking trojan. Rather than only chasing financial credentials, it can exfiltrate data, capture screenshots, record on-device activity and hand operators remote control of the phone.

Sold as a Product, Built Without Code

What sets BTMOB apart, however, is its commercial packaging. The RAT ships with an APK builder interface that lets buyers quickly generate new payloads and retool phishing lures for specific countries, with no coding required.

Distribution follows a familiar social-engineering pattern. Operators steer victims to phishing sites posing as streaming services, crypto-mining platforms or other recognizable brands, then funnel them toward fake app stores that prompt installation of a malicious APK.

Once on the device, BTMOB abuses Android’s Accessibility Services to escalate its own permissions and grant itself deeper system access without further user interaction.

Researchers have already seen the kit adapted to impersonate local institutions, including campaigns spoofing Argentina’s tax and customs authorities.

Read more on Android MaaS threats: New Android Albiriox Malware Gains Traction in Dark Web Markets

Cheap Licenses, Fast Mutation

BTMOB is sold through a malware-as-a-service (MaaS) model, marketed on a surface-web promotional page that channels buyers to a Telegram operator, alongside seller accounts on X and Instagram.

ESET said a reported $5,000 lifetime license plus a monthly support fee is modestly set against the proceeds of a successful fraud operation, and the service model lowers the bar for less skilled criminals.

That economic logic also makes containment hard. In January 2026, a dark web forum briefly advertised BTMOB files for free before going offline, a reminder that commercial malware rarely stays locked to paying customers once resale and sharing take hold.

Because new variants can be spun up so quickly, ESET warned defenders to expect rapid payload turnover rather than a fixed set of samples.

The company advised users to install apps only from official stores, treat unsolicited links with suspicion and run mobile security software with the same rigor applied to other devices.

“Corporate security teams must make it clear to employees that a single rogue download could expose the company’s crown jewels,” ESET concluded.



Source

Share. Facebook Twitter Pinterest LinkedIn Tumblr Email
Previous ArticleMini Shai-Hulud Pushes Malicious AntV npm Packages via Compromised Maintainer Account
Next Article Popular GitHub Action Tags Redirected to Imposter Commit to Steal CI/CD Credentials
Team-CWD
  • Website

Related Posts

News

CISA Warns of Actively Exploited Joomla JCE Flaw Allowing PHP Code Execution

June 24, 2026
News

Researchers Trick AI Browsers Into Leaking Credentials

June 24, 2026
News

Google Vertex AI SDK Flaw Let Attackers Hijack Model Uploads via Bucket Squatting

June 24, 2026
Add A Comment
Leave A Reply Cancel Reply

Latest News

North Korean Hackers Turn JSON Services into Covert Malware Delivery Channels

November 24, 202522 Views

macOS Stealer Campaign Uses “Cracked” App Lures to Bypass Apple Securi

September 7, 202517 Views

North Korean Hackers Target Crypto Firms with ClickFix and Zoom Lures

April 29, 202610 Views

Why SOC Burnout Can Be Avoided: Practical Steps

November 14, 20259 Views

Cyber M&A Roundup: Cyber Giants Strengthen AI Security Offerings

December 1, 20258 Views
Stay In Touch
  • Facebook
  • YouTube
  • TikTok
  • WhatsApp
  • Twitter
  • Instagram
Most Popular

North Korean Hackers Turn JSON Services into Covert Malware Delivery Channels

November 24, 202522 Views

macOS Stealer Campaign Uses “Cracked” App Lures to Bypass Apple Securi

September 7, 202517 Views

North Korean Hackers Target Crypto Firms with ClickFix and Zoom Lures

April 29, 202610 Views
Our Picks

A stealthy RAT burrowing deep into Android devices

May 26, 2026

What it is and how to protect yourself

January 8, 2026

Why LinkedIn is a hunting ground for threat actors – and how to protect yourself

January 16, 2026

Subscribe to Updates

Get the latest news from cyberwiredaily.com

Facebook X (Twitter) Instagram Pinterest
  • Home
  • Contact
  • Privacy Policy
  • Terms of Use
  • California Consumer Privacy Act (CCPA)
© 2026 All rights reserved.

Type above and press Enter to search. Press Esc to cancel.