top of page
perceptive_background_267k.jpg

BTMOB Android malware service generates custom phishing payloads

Published:

28 May 2026 at 21:10:11

Alert date:

28 May 2026 at 22:04:22

Source:

bleepingcomputer.com

Click to open the original link from this advisory

Mobile & IoT, Ransomware & Malware

BTMOB is an Android remote access trojan offered to cybercriminals through a malware-as-a-service model. The service provides a builder interface that allows threat actors to generate custom malware payloads specifically tailored for phishing campaigns. This represents an evolution in cybercriminal services, making sophisticated mobile malware more accessible to less technically skilled attackers. The service enables the creation of targeted phishing lures combined with malicious Android applications. BTMOB poses a significant threat to Android users as it democratizes access to advanced mobile malware capabilities.

Technical details

BTMOB is an Android remote access trojan offered as malware-as-a-service (MaaS) with a builder interface for generating custom phishing payloads. The malware steals specific data, intercepts financial transactions, captures screenshots, and provides remote control capabilities. It abuses Android Accessibility Services to obtain elevated permissions and additional system access without user interaction. The APK builder allows customization without coding, enabling selection of permissions and actions like disabling Google Play, hiding icons, and preventing sleep mode. It is distributed via phishing websites masquerading as streaming services and cryptocurrency mining platforms, redirecting victims to fake Google Play stores.

Mitigation steps:

Install only apps from the official Google Play Store, scan with Play Protect, revoke risky and powerful permissions such as Accessibility access if not explicitly needed, implement multi-layered security defenses due to rapid payload generation

Affected products:

Android devices
Android Accessibility Services

Related links:

https://any.run/malware-trends/btmob/
http://cyble.com/blog/btmob-rat-newly-discovered-android-malware/
https://www.welivesecurity.com/en/malware/btmob-stealthy-rat-burrowing-deep-android-devices/
https://x.com/johnk3r
https://x.com/Merlax_

Related CVE's:

Related threat actors:

IOC's:

BTMOB 2.5 samples, Fake Google Play sites, Phishing websites masquerading as streaming services, Fake cryptocurrency mining platforms, Argentinian government agency lure campaigns

This article was created with the assistance of AI technology by Perceptive.

About us

© 2025 by Perceptive Security. All rights reserved.

email: info@perceptivesecurity.com

Disclaimer: Deze website toont informatie afkomstig van externe bronnen. Perceptive aanvaardt geen verantwoordelijkheid voor de inhoud, juistheid of volledigheid van deze informatie.

bottom of page