BTMOB RAT Spreads Across Brazil, LatAm Via MaaS Model TechTarget and Informa Tech’s Digital Business Combine.TechTarget and InformaTechTarget and Informa Tech’s Digital Business Combine.Together, we power an unparalleled network of 220+ online properties covering 10,000+ granular topics, serving an audience of 50+ million professionals with original, objective content from trusted sources. We help you gain critical insights and make more informed decisions across your business priorities.Dark Reading Resource LibraryBlack Hat NewsOmdia CybersecurityAdvertiseNewsletter Sign-UpNewsletter Sign-UpCybersecurity TopicsRelated TopicsApplication SecurityCybersecurity CareersCloud SecurityCyber RiskCyberattacks & Data BreachesCybersecurity AnalyticsCybersecurity OperationsData PrivacyEndpoint SecurityICS/OT SecurityIdentity & Access Mgmt SecurityInsider ThreatsIoTMobile SecurityPerimeterPhysical SecurityRemote WorkforceThreat IntelligenceVulnerabilities & ThreatsRecent in Cybersecurity TopicsApplication SecurityAgentic AI Isn't Risky; the Way Orgs Deploy It IsAgentic AI Isn't Risky; the Way Orgs Deploy It IsbyNate NelsonMay 28, 20265 Min ReadThreat IntelligenceAI-Assisted Exploit Development Outpaces Scanner DetectionAI-Assisted Exploit Development Outpaces Scanner DetectionbyElizabeth MontalbanoMay 27, 20265 Min ReadWorld Related TopicsDR GlobalMiddle East & AfricaAsia PacificLatin AmericaSee AllThe EdgeDR TechnologyEventsRelated TopicsUpcoming EventsPodcastsWebinarsSEE ALLResourcesRelated TopicsResource LibraryNewslettersPodcastsReportsVideosWebinarsWhite PapersHeard It From a CISOReporters' NotebookDark Reading's 20thPartner PerspectivesMeet the EditorsAdvertise With Us About UsDark Reading Resource LibraryCyberattacks & Data BreachesEndpoint SecurityMobile SecurityRemote WorkforceNewsBTMOB RAT Spreads Across Brazil, LatAm via MaaS ModelAn advanced remote access Trojan is propagating online. Notably, it's delivered via an operator licensing model and features a no-code malware-development interface.Elizabeth Montalbano,Contributing WriterMay 28, 20264 Min ReadSource: Rafapress via ShutterstockAn emerging Android remote access Trojan (RAT) that offers would-be attackers a no-code interface for building malicious banking apps has resurfaced. This time, it's using a malware-as-a-service (MaaS) model that lowers the barrier to entry for cybercriminals to achieve full mobile device takeover with little expert knowledge. The RAT — dubbed BTMOB and first described by researchers at Cyble last year as an offshoot of SpySolr malware — is notable for its potential to do significant damage via a range of capabilities that extend beyond the usual RAT behavior, according to a ESET security researchers.While typical banking Trojans are aimed primarily at stealing financial credentials or intercepting user transactions, BTMOB gives adversaries broader options. These include the ability to exfiltrate a range of sensitive data, capture screenshots, record activity on the device, and ultimately take remote control of it. Related:Ransomware Actors Show Up In Person to Steal Law Firm DataA No-Code Malicious Payload GeneratorIn the campaign, which targets users in Brazil and Latin America, the RAT is both commodity and payload. As a commodity, it is sold along with an APK builder interface that allows anyone to generate new payloads such as malicious Android apps, as well as adapt phishing lures for specific regions rapidly without writing any code, noted Daniel Cunha Barbosa, a security researcher for ESET, in the post. The campaign distributes the RAT to cybercriminals through Telegram channels and other websites, and goes after victims via phishing sites impersonating streaming services, cryptocurrency platforms, and legitimate app stores.The malware comes with a relatively inexpensive price tag of $5,000 for a lifetime license, which in the digital economy of mobile device compromise, is a relative bargain, notes Jacob Krell, senior director of secure AI solutions & cybersecurity for Suzu Labs."Mobile is where the economics of industrialized cybercrime meet the highest returns in the exploit market," he says, adding that Crowdfense, a well-known vulnerability research hub, currently pays up to $5 million for a single Android zero-click chain. "When the returns are that high, every improvement in mobile campaign tooling translates directly into profit," Krell says.In addition, the MaaS model also lowers the barrier for less sophisticated adversaries, Barbosa noted, citing a Dark Web forum that in January claimed to offer BTMOB-related files for free download. "The forum later went offline, and our search didn’t recover the payload(s), but the episode points to a familiar risk with commercial malware: access rarely stays contained forever and the tool can move into secondary markets through resale, barter, or sharing inside closed groups," Barbosa wrote. Related:Latin American Cybercriminals Hoover Up Government DataSocial Engineering for the Cybercrime WinIn maliciious campaigns that deliver a BTMOB payload, operators send victims to phishing websites that pose as streaming services, cryptocurrency mining platforms, or other familiar online services. From there, they then nudge them toward fake app stores that mimic legitimate repositories and prompt them to install a malicious APK. Because BTMOB allows operators to adapt lures to specific regions, it gives attackers a strong social-engineering play and unlimited geographic reach, Barbosa noted. He cited a campaign in Argentina that spread BTMOB while impersonating Argentina's tax and customs authorities as a recent example. This, combined with the RAT's extended capabilities, gives the malware a wider reach for doing damage beyond the region in which it's currently being distributed, he said. "The combination of phishing-led delivery, ready-made app-building tooling and device takeover capabilities makes BTMOB a threat to watch well beyond Brazil or Latin America," Barbosa wrote.Related:Processes & Culture Top Reasons Behind Data BreachesOnce installed, BTMOB seeks extensive access to the device by abusing Android Accessibility Services to gain elevated permissions and granting itself further system access and control over the device without additional user interaction. Defending Mobiles Device From MalwareMobile malware remains a significant threat to both enterprise and personal users alike, and ESET recommended a few basic tips to keep users safe from BTMOB and the range of other Android-based malware making the rounds.One basic best practice is to only download apps from the official Google Play Store and its repositories, and beware of fakes impersonating Google's mobile app marketplace. Enterprises also should make this a mandate across their employee base, Barbosa noted.Basic phishing security hygiene applies as well, such as treating unsolicited links delivered via email, messaging apps, social media, and targeted advertisements with suspicion and not clicking on anything that even remotely seems like a scam, he said.Finally, both individuals and organizations "should use mobile security solutions and treat mobile devices with the same rigor as other machines and environments," Barbosa wrote. For enterprise defenders, he included indicators of compromise in the post to help security administrators identify signs of compromise on a network.About the AuthorElizabeth MontalbanoContributing WriterElizabeth Montalbano is freelance writer, editor, and  journalist with 30 years of professional experience and a master's degree from Arizona State University. Her areas of expertise include enterprise technology, cybersecurity, business, and culture. During her long career, Elizabeth has lived and worked as a full-time journalist in Phoenix, San Francisco, and New York City. She specializes in news coverage and analysis, using her years of experience to look at the current state of cybersecurity with a critical gaze. She currently resides in a village on the southwest coast of Portugal, where in her free time she enjoys surfing, hiking with her dogs, growing plants, and playing and performing as a singer and musician.See more from Elizabeth MontalbanoWant more Dark Reading stories in your Google search results?Add Us NowMore InsightsIndustry ReportsHow Organizations Are Managing Incident ResponseHow Enterprises Are Developing Secure ApplicationsInside RSAC 2026: security leaders reveal the risks redefining your defense strategyEssential News & Insights from Black Hat USA 2025How Enterprises Are Harnessing Emerging Technologies in CybersecurityAccess More ResearchWebinarsThe Frontier AI Era: Why Cybersecurity Must Move at Machine SpeedBuild vs. Buy: The Hidden Cost of Building Your Own AI Security StackDefending in the Shadow Era: When the CVE Feed Goes DarkBuilding SecOps That Make the Most of Every DollarAI-Powered Credential Security: Intelligence Without ExposureMore WebinarsEditor's ChoiceCybersecurity Operations20 Leaders Who Built the CISO Era: 2 Decades of Change20 Leaders Who Built the CISO Era: 2 Decades of ChangebyDark Reading Editorial TeamMay 12, 202641 Min ReadApplication SecurityIt's Patch Tuesday for Microsoft & Not a Zero-Day In SightIt's Patch Tuesday for Microsoft & Not a Zero-Day In SightbyJai VijayanMay 12, 20265 Min ReadWant more Dark Reading stories in your Google search results?Keep up with the latest cybersecurity threats, newly discovered vulnerabilities, data breach information, and emerging trends. Delivered daily or weekly right to your email inbox.SubscribeWebinarsThe Frontier AI Era: Why Cybersecurity Must Move at Machine SpeedTuesday, June 23, 2026 1:00 PM EDTBuild vs. Buy: The Hidden Cost of Building Your Own AI Security StackThurs, June 25, 2026, at 1pm ESTDefending in the Shadow Era: When the CVE Feed Goes DarkTues, June 16, 2026 at 1pm ESTBuilding SecOps That Make the Most of Every DollarThurs, July 9, 2026 at 1pm ESTAI-Powered Credential Security: Intelligence Without ExposureWed, June 17, 2026, at 1pm ESTMore WebinarsBlack Hat USA | Mandalay Bay, Las VegasThe premier cybersecurity event of the year returns to Mandalay Bay with a re‑engineered, six‑day program built to ignite innovation, push boundaries, and bring the global security community together like never before. Use code: DARKREADING to save $200 on a Briefings pass or $100 on a Business pass.GET YOUR PASSDiscover MoreBlack HatOmdiaWorking With UsAbout UsAdvertiseReprintsJoin UsNewsletter Sign-UpFollow UsCopyright © 2026 TechTarget, Inc. d/b/a Informa TechTarget. This website is owned and operated by Informa TechTarget, part of a global network that informs, influences and connects the world’s technology buyers and sellers. All copyright resides with them. Informa PLC’s registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. TechTarget, Inc.’s registered office is 275 Grove St. Newton, MA 02466.Home|Cookie Policy|Privacy|Terms of UseYour Privacy Choices

An emerging Android remote access Trojan (RAT) known as BTMOB is actively spreading across Brazil and Latin America by leveraging a Malware-as-a-Service (MaaS) model, which significantly lowers the entry barrier for cybercriminals seeking to achieve full mobile device takeover. This RAT is notable not only for its function as a remote access tool but also for its capacity to generate malicious applications through a no-code interface, allowing adversaries to create custom payloads without requiring expert coding knowledge. According to security researchers, BTMOB extends capabilities beyond typical banking Trojans, enabling adversaries to exfiltrate sensitive data, capture screenshots, record device activity, and ultimately assume remote control.

The campaign utilizes a commodity and payload structure, where the RAT is sold alongside an interface that allows users to construct malicious Android applications and tailor phishing lures for specific regional targets, as noted by Daniel Cunha Barbosa. This operational model is economically driven, with a lifetime license for the RAT priced at $5,000, highlighting how the high returns in the exploit market drive continuous innovation in mobile campaign tooling. This financial dynamic reflects the principle that the economics of industrialized cybercrime align with the highest returns in the exploit market, where improvements in mobile campaign tools directly translate into profit.

Adversaries distribute the BTMOB payload through channels such as Telegram and phishing websites impersonating legitimate services, including streaming platforms, cryptocurrency exchanges, and app stores, to trick victims into installing malicious APKs. The MaaS model enhances the threat's geographic reach; because the RAT allows operators to rapidly adapt lures to specific regions, it facilitates strong social engineering plays, exemplified by campaigns that impersonated governmental authorities to achieve distribution beyond the initial region of deployment. This combination of phishing delivery, ready-made application creation tools, and device takeover capabilities positions BTMOB as a threat extending well beyond Brazil or Latin America.

Once installed on a mobile device, BTMOB secures extensive access by exploiting Android Accessibility Services to gain elevated permissions and maintain system control without requiring further user interaction. Consequently, defense strategies must focus on robust security hygiene. Security recommendations emphasize downloading applications exclusively from official repositories and warnings against impersonating marketplaces, reinforcing the need for broader enforcement across enterprise user bases. Furthermore, basic phishing security hygiene is critical, requiring users to treat unsolicited links with suspicion. Both individuals and organizations are advised to implement comprehensive mobile security solutions, treating mobile devices with the same security rigor applied to other computing environments, and employing indicators of compromise to help administrators identify systemic security breaches.