Find notable cyber news and cases, enriched with sources, timelines, and signals.
Home Browse News Feed Stats Watchlists Beta About Contact

BTMOB Android RAT no-code builder malware activity

Malware Activity
First reported
Last updated
Happening score
H score 16
1 unique sources, 1 articles

Summary

Hide ▲

The BTMOB Android RAT is spreading through phishing campaigns across Brazil and beyond, raising the risk of custom payload delivery and remote device takeover. Built with a no-code APK builder, the malware lets buyers generate new payloads without writing code and retune lures for different countries. Once installed, it can exfiltrate data, capture screenshots, record on-device activity, and abuse Android Accessibility Services to deepen access. The operation has been observed as MaaS since February 2025, and rapid variant turnover makes detection and containment harder.

Related Happenings

Grandoreiro and BTMOB banking trojan activity targeting Windows and Android

Malware Activity
First: 27.05.2026 19:10 Last: 27.05.2026 19:10 Sources 1

About this happening: The **Grandoreiro** and **BTMOB** trojans are being used in active campaigns against **Windows** and **Android** targets across **Europe** and **Latin America**, increasing the ri...

Open Happening

BTMOB phishing campaign targeting Android users in Brazil and beyond

Campaign
First: 26.05.2026 17:00 Last: 26.05.2026 17:00 Sources 1

How related: Operators steer victims to phishing sites posing as streaming services, crypto-mining platforms or other recognizable brands, then funnel them toward fake app stores that prompt installation of a malicious APK.

About this happening: The **BTMOB phishing distribution campaign** is pushing **malicious APKs** through **fake app stores**, expanding Android compromise risk across **Brazil and beyond**. Operators l...

Open Happening

Android 17 expands platform security and privacy protections

Security Tool/Service
First: 12.05.2026 20:00 Last: 12.05.2026 20:00 Sources 1

About this happening: **Android 17** will add a broad set of **Google**-backed security and privacy controls next month, reducing exposure to **banking scam calls**, **device theft**, and **OTP theft**...

Open Happening

PromptSpy backdoor for Android with Gemini API automation

Malware Activity
First: 11.05.2026 16:02 Last: 11.05.2026 16:02 Sources 1

About this happening: The **PromptSpy** backdoor for **Android** was highlighted for using **Gemini APIs** to automate device interaction, increasing the risk of unauthorized control on infected phones...

Open Happening

BirdCall Android spyware variant

Malware Activity
First: 05.05.2026 12:04 Last: 05.05.2026 12:04 Sources 1

About this happening: The **BirdCall** Android spyware variant expanded a known **Windows** backdoor into a mobile surveillance tool with **file exfiltration** and device reconnaissance capabilities. I...

Open Happening

Timeline

  1. 26.05.2026 17:00 2 articles · 1d ago

    Initial report: BTMOB Android RAT no-code builder malware activity

    Initial Disclosure

    Early activity centered on a **February 2025** Android RAT lineage that blended **phishing-based delivery** with a **no-code APK builder**. The initial phase established the core playbook of fake-store installs, payload customization, and permission abuse for device takeover.

    Show sources
    Open in new tab