The BTMOB remote access trojan (RAT) is becoming a heightened threat to Android users due to its data theft and device takeover capabilities, ESET warns.
Believed to be based on the SpySolr malware, BTMOB is distributed via phishing attacks leveraging lures such as streaming, cryptocurrency mining, and other familiar services.
Its developers, however, sell it bundled with an APK builder interface, allowing threat actors to tailor lures and create new payloads based on their target geographies, without writing code.
“Once someone purchases the malicious kit, they can adapt its features, including the phishing lures so they impersonate the brand or agency most likely to lure victims in any given country,” ESET notes.
The malware is promoted via an open web page linking to a Telegram channel. Social media accounts on X and Instagram are also used to promote the Android malware.
BTMOB is offered for a lifetime license for $5,000, along with a monthly support fee. In January 2026, files related to the RAT were offered for free on a dark web forum that went offline.
Threat actors have been observed delivering phishing messages that point victims to websites posing as legitimate services, which redirect to fake application stores mimicking legitimate repositories and serving the malicious APK.
Once executed on a device, BTMOB attempts to obtain excessive access, abusing Android Accessibility Services to elevate its privileges on the system without user interaction.
“Unlike banking trojans, which ‘only’ aim to steal people’s financial credentials or intercept their financial transactions, BTMOB gives adversaries broader options: exfiltrate a range of sensitive data, capture screenshots and record activity on the device, and ultimately take remote control of it,” ESET says.
The cybersecurity firm notes that the malware is mutating quickly, with numerous variants being observed within a short period of time, but that certain infrastructure patterns remained unmodified across iterations.
BTMOB has been mainly observed in attacks in Latin America, but the risk it poses stretches beyond the region, ESET warns.
Related: Critical Remote Code Execution Vulnerability Patched in Android
Related: Mirax RAT Targeting Android Users in Europe
Related: PromptSpy Android Malware Abuses Gemini AI at Runtime for Persistence
Related:New Keenadu Android Malware Found on Thousands of Devices
