As reported by ESET's We Live Security, BTMOB is an Android remote access trojan (RAT) that, while not detected in high volumes, presents a significant threat due to its capabilities and ease of use. Its combination of phishing-based delivery, a user-friendly app-building tool, and comprehensive device control features makes it a concern for users globally, extending beyond its initial focus on Brazil and Latin America.First identified in February 2025, BTMOB evolved from the SpySolr malware. Unlike typical banking trojans, BTMOB offers adversaries a wider range of malicious actions, including data exfiltration, screen capture, activity recording, and complete remote device control. A key feature is its APK builder interface, which allows users to create new malicious payloads and adapt phishing lures for different regions without needing to write any code. Distribution typically begins with social engineering tactics, leading victims to phishing websites that mimic legitimate services. From there, users are directed to fake app stores to download a malicious APK.BTMOB abuses Android Accessibility Services to gain elevated permissions and further system access. Marketed as a malware-as-a-service (MaaS), BTMOB is sold with a lifetime license and monthly support, lowering the barrier for entry for less sophisticated attackers. This model also risks the tool moving into secondary markets, increasing its accessibility. The rapid generation of new variants means defenders face a constantly evolving threat landscape, with ESET products detecting it under various names like MSIL/BtmobRat and Android/Spy.Agent.EED.Source: We Live Security
Get daily email updates
SC Media's daily must-read of the most current and pressing daily news
Related Terms
AdwareYou can skip this ad in 5 seconds



