BTMOB Android RAT no-code builder malware activity
Malware Activity
Summary
Hide ▲
Show ▼
BTMOB is an Android RAT sold as malware-as-a-service on the clearweb and in private Telegram channels, with a no-code APK builder that generates customized phishing payloads. The activity targets users mainly in Brazil and Latin America, uses phishing sites that mimic streaming services, cryptocurrency mining platforms, and Google Play, and has included lures themed as an Argentinian government agency. Once installed, the malware can exfiltrate data, capture screenshots, and abuse Android Accessibility Services for deeper access. ESET says the builder lets operators tailor permissions and behavior without coding, increasing the pace of payload generation and making defense harder.
Related Happenings
RedWing Android spyware rented through Telegram
Malware Activity
H score21
First: 08.07.2026 18:30
Last: 08.07.2026 18:30
Sources 1
About this happening:
The **RedWing** Android spyware operation is being rented through **Telegram**, lowering the barrier for criminals to hijack phones and steal **banking credentials**. The malware...
RedWing Android spyware rented through Telegram
Malware ActivityAbout this happening: The **RedWing** Android spyware operation is being rented through **Telegram**, lowering the barrier for criminals to hijack phones and steal **banking credentials**. The malware...
RedWing Android bank-fraud malware rental service
Malware Activity
H score21
First: 07.07.2026 20:10
Last: 07.07.2026 20:10
Sources 1
About this happening:
The **RedWing** Android malware service is being rented on **Telegram** to steal **banking logins**, **OTPs**, and device control, raising fraud risk for **banking and cryptocurre...
RedWing Android bank-fraud malware rental service
Malware ActivityAbout this happening: The **RedWing** Android malware service is being rented on **Telegram** to steal **banking logins**, **OTPs**, and device control, raising fraud risk for **banking and cryptocurre...
Google Play Protect adds warnings and app disabling for compromised SDK abuse
Security Tool/Service
H score11
First: 03.07.2026 12:35
Last: 03.07.2026 12:35
Sources 1
About this happening:
**Google Play Protect** was updated in **July 2026** to **warn Android users automatically** and **disable apps** tied to **compromised SDKs**, limiting abuse of consumer devices...
Google Play Protect adds warnings and app disabling for compromised SDK abuse
Security Tool/ServiceAbout this happening: **Google Play Protect** was updated in **July 2026** to **warn Android users automatically** and **disable apps** tied to **compromised SDKs**, limiting abuse of consumer devices...
Google Android Developer Verifier enforcement rollout for verified app installs
Security Tool/Service
H score14
First: 22.06.2026 15:45
Last: 22.06.2026 15:45
Sources 1
About this happening:
Google is **enforcing Android developer verification** on **September 30, 2026**, blocking normal installs of unverified apps on certified Android phones in **Brazil, Indonesia, S...
Google Android Developer Verifier enforcement rollout for verified app installs
Security Tool/ServiceAbout this happening: Google is **enforcing Android developer verification** on **September 30, 2026**, blocking normal installs of unverified apps on certified Android phones in **Brazil, Indonesia, S...
Rokarolla Android banking trojan activity
Malware Activity
H score26
First: 16.06.2026 16:15
Last: 16.06.2026 16:15
Sources 1
About this happening:
The **Rokarolla** **Android banking trojan** is expanding phone-level control on infected devices, letting attackers steal credentials, intercept authentication codes, and hide fr...
Rokarolla Android banking trojan activity
Malware ActivityAbout this happening: The **Rokarolla** **Android banking trojan** is expanding phone-level control on infected devices, letting attackers steal credentials, intercept authentication codes, and hide fr...
Timeline
-
29.05.2026 00:10 1 articles · 1mo ago
BTMOB sells no-code APK builder on clearweb and Telegram
Technical Analysis UpdateBTMOB is openly advertised on the clearweb and in private Telegram channels as a malware-as-a-service (MaaS) platform with an APK builder that customizes phishing payloads without coding. The Android RAT targets users mainly in Brazil and Latin America, uses phishing sites masquerading as streaming services, cryptocurrency mining platforms, and Google Play portals, and custom lures have included an Argentinian government agency theme.
Show sources
- BTMOB Android malware service generates custom phishing payloads — www.bleepingcomputer.com — 29.05.2026 00:10
-
26.05.2026 17:00 2 articles · 1mo ago
Initial report: BTMOB Android RAT no-code builder malware activity
Initial DisclosureEarly activity centered on a **February 2025** Android RAT lineage that blended **phishing-based delivery** with a **no-code APK builder**. The initial phase established the core playbook of fake-store installs, payload customization, and permission abuse for device takeover.
Show sources
- BTMOB Android RAT Spreads Through No-Code Builder Tooling — www.infosecurity-magazine.com — 26.05.2026 17:00
- BTMOB Android RAT Spreads Through No-Code Builder Tooling — www.infosecurity-magazine.com — 26.05.2026 17:00