BTMOB Android malware service generates custom phishing payloads

Published:

28 mei 2026 om 21:10:11

Alert date:

28 mei 2026 om 22:04:22

Source:

bleepingcomputer.com

Mobile & IoT, Ransomware & Malware

BTMOB is an Android remote access trojan offered to cybercriminals through a malware-as-a-service model. The service provides a builder interface that allows threat actors to generate custom malware payloads specifically tailored for phishing campaigns. This represents an evolution in cybercriminal services, making sophisticated mobile malware more accessible to less technically skilled attackers. The service enables the creation of targeted phishing lures combined with malicious Android applications. BTMOB poses a significant threat to Android users as it democratizes access to advanced mobile malware capabilities.

Technical details

BTMOB is an Android remote access trojan offered as malware-as-a-service (MaaS) with a builder interface for generating custom phishing payloads. The malware steals specific data, intercepts financial transactions, captures screenshots, and provides remote control capabilities. It abuses Android Accessibility Services to obtain elevated permissions and additional system access without user interaction. The APK builder allows customization without coding, enabling selection of permissions and actions like disabling Google Play, hiding icons, and preventing sleep mode. It is distributed via phishing websites masquerading as streaming services and cryptocurrency mining platforms, redirecting victims to fake Google Play stores.

Mitigation steps:

Install only apps from the official Google Play Store, scan with Play Protect, revoke risky and powerful permissions such as Accessibility access if not explicitly needed, implement multi-layered security defenses due to rapid payload generation

Affected products:

Android devices
Android Accessibility Services