BTMOB Android malware service generates custom phishing payloads
Recorded: May 28, 2026, 10 p.m.
| Original | Summarized |
BTMOB Android malware service generates custom phishing payloads News Featured Glassworm botnet disrupted after resilient C2 infrastructure takedown CISA gives feds 4 days to patch actively exploited cPanel plugin flaw Windows 11 KB5089573 update released with performance improvements Charter confirms data breach after ShinyHunters extortion threat BTMOB Android malware service generates custom phishing payloads FBI warns of fake FIFA websites running World Cup fraud schemes Stop losing storage to duplicates—DupFiles is on sale for just $20 Hackers exploit FortiClient EMS flaw to push infostealer malware Tutorials Latest How to access the Dark Web using the Tor Browser How to enable Kernel-mode Hardware-enforced Stack Protection in Windows 11 How to use the Windows Registry Editor How to backup and restore the Windows Registry How to start Windows in Safe Mode How to remove a Trojan, Virus, Worm, or other Malware How to show hidden files in Windows 7 How to see hidden files in Windows Webinars Latest Qualys BrowserCheck STOPDecrypter AuroraDecrypter FilesLockerDecrypter AdwCleaner ComboFix RKill Junkware Removal Tool Deals Categories eLearning IT Certification Courses Gear + Gadgets Security VPNs Popular Best VPNs How to change IP address Access the dark web safely Best VPN for YouTube Forums Virus Removal Guides HomeNewsSecurityBTMOB Android malware service generates custom phishing payloads BTMOB Android malware service generates custom phishing payloads By Bill Toulas May 28, 2026 An Android remote access trojan named BTMOB is offered to cybercriminals with a builder interface for generating malware payloads tailored to phishing lures. BTMOB's payload builderSource: ESET BTMOB clearnet siteSource: ESET Malicious apps on fake Google Play sitesSource: Merl The Validation Gap: Automated Pentesting Answers One Question. You Need Six. Automated pentesting tools deliver real value, but they were built to answer one question: can an attacker move through the network? They were not built to test whether your controls block threats, your detection rules fire, or your cloud configs hold.This guide covers the 6 surfaces you actually need to validate. Related Articles: Android Bill Toulas Previous Article Post a Comment Community Rules You need to login in order to post a comment You may also like: Upcoming Webinar Popular Stories FBI warns of Kali365 phishing service targeting Microsoft 365 accounts Charter confirms data breach after ShinyHunters extortion threat Microsoft Defender can now automatically isolate hacked endpoints Sponsor Posts AI is a data-breach time bomb: Read the new report Overdue a password health-check? Audit your Active Directory for free Protect Your Business from Ecommerce Fraud #1 MSP Benchmark report 2026: Insights from 1,000+ MSPs on growth, security, artificial intelligence, and key 2026 trends. Upcoming Webinar Follow us: Main Sections News Community Forums Useful Resources Welcome Guide Company About BleepingComputer Terms of Use - Privacy Policy - Ethics Statement - Affiliate Disclosure Copyright @ 2003 - 2026 Bleeping Computer® LLC - All Rights Reserved Login Username Password Remember Me Sign in anonymously Sign in with Twitter Not a member yet? Register Now Help us understand the problem. What is going on with this comment? Spam Abusive or Harmful Inappropriate content Strong language Other Read our posting guidelinese to learn what content is prohibited. Submitting... |
An Android remote access trojan named BTMOB is offered to cybercriminals as a malware-as-a-service (MaaS) platform, providing a builder interface for generating custom phishing payloads. This malicious software incorporates numerous capabilities, including the theft of specific data, interception of financial transactions, screenshot capture, and remote control functionality. Cybersecurity company ESET reports that BTMOB is openly advertised on the clearweb, allowing users to customize the payload through an APK builder without requiring any coding. Users can select the specific permissions the resulting application requests upon installation, and define actions the application should execute, such as disabling Google Play, hiding its icon to impede removal, or preventing sleep mode. The BTMOB platform appears to be an evolution of the SpySolr malware family and is distributed through phishing websites that impersonate streaming services and cryptocurrency mining platforms. Potential victims are directed to portals mimicking Google Play to download these fraudulent applications. Furthermore, the malware assists operators in creating custom, localized phishing lures tailored to specific campaign topics. Technically, BTMOB exploits Android Accessibility Services to acquire elevated permissions and access to additional system functions without requiring further user interaction. Threat intelligence regarding BTMOB exists; ANYRUN analyzed the malware in February 2025, and the threat intelligence and digital risk protection company Cyble documented it as an advanced Android malware. Researchers Johnk3r and Merl have spotted BTMOB campaigns that utilized an Argentinian government agency as a lure. The malware is primarily active in Brazil and Latin America. Threat actors can acquire BTMOB through private Telegram channels, paying either a monthly subscription of $700 or a lifetime license of $5,000. Despite the rapid development of new payloads, ESET researchers are tracking the threat and updating static detection rules. The proliferation of these custom payloads can severely undermine the effectiveness of single-layered security defenses. Consequently, Android users are advised to restrict their installations to apps sourced only from the official Google Play Store, utilize Play Protect for scanning, and revoke risky or powerful permissions, such as Accessibility access, unless explicitly necessary for the application's function. |