BTMOB phishing campaign targeting Android users in Brazil and beyond
Campaign
Summary
Hide ▲
Show ▼
The BTMOB phishing distribution campaign is pushing malicious APKs through fake app stores, expanding Android compromise risk across Brazil and beyond. Operators lure users with phishing sites posing as streaming services, crypto-mining platforms, and other recognizable brands. The operation matters because the same kit can be retooled quickly for different countries and local impersonations, making the delivery chain easy to adapt and hard to contain.
Related Happenings
BTMOB Android RAT no-code builder malware activity
Malware Activity
First: 26.05.2026 17:00
Last: 26.05.2026 17:00
Sources 1
How related:
An Android remote access trojan (RAT) that lets buyers build their own custom payloads without writing a line of code has been observed spreading through phishing campaigns across Brazil and beyond.
About this happening:
The **BTMOB** Android RAT is spreading through **phishing campaigns** across **Brazil and beyond**, raising the risk of **custom payload delivery** and **remote device takeover**....
BTMOB Android RAT no-code builder malware activity
Malware ActivityHow related: An Android remote access trojan (RAT) that lets buyers build their own custom payloads without writing a line of code has been observed spreading through phishing campaigns across Brazil and beyond.
About this happening: The **BTMOB** Android RAT is spreading through **phishing campaigns** across **Brazil and beyond**, raising the risk of **custom payload delivery** and **remote device takeover**....
Meta rolls out anti-scam protections and AI scam detection across WhatsApp, Facebook, and Messenger
Security Tool/Service
First: 11.03.2026 15:29
Last: 11.03.2026 15:29
Sources 1
About this happening:
Meta is rolling out **anti-scam protections** across **WhatsApp, Facebook, and Messenger**, using warnings and AI detection to block scams before users engage. The updates target...
Meta rolls out anti-scam protections and AI scam detection across WhatsApp, Facebook, and Messenger
Security Tool/ServiceAbout this happening: Meta is rolling out **anti-scam protections** across **WhatsApp, Facebook, and Messenger**, using warnings and AI detection to block scams before users engage. The updates target...
Kimsuky QR-phishing campaign distributing DocSwap Android malware
Campaign
First: 18.12.2025 09:43
Last: 18.12.2025 09:43
Sources 1
About this happening:
The **Kimsuky** operation now uses **QR-code phishing** to push **DocSwap Android malware**, raising the risk of mobile compromise for users drawn in by delivery-themed lures. The...
Kimsuky QR-phishing campaign distributing DocSwap Android malware
CampaignAbout this happening: The **Kimsuky** operation now uses **QR-code phishing** to push **DocSwap Android malware**, raising the risk of mobile compromise for users drawn in by delivery-themed lures. The...
Albiriox Austrian-targeting distribution campaign
Campaign
First: 01.12.2025 10:45
Last: 01.12.2025 10:45
Sources 1
About this happening:
The **Albiriox** distribution campaign targeted **Austrian victims**, using **German-language SMS lures** and fake **Google Play Store** listings to deliver a dropper APK and enab...
Albiriox Austrian-targeting distribution campaign
CampaignAbout this happening: The **Albiriox** distribution campaign targeted **Austrian victims**, using **German-language SMS lures** and fake **Google Play Store** listings to deliver a dropper APK and enab...
Mobdro lure campaign delivering Klopatra to illegal streaming users
Campaign
First: 30.09.2025 23:28
Last: 30.09.2025 23:28
Sources 1
About this happening:
The **Mobdro** lure campaign is pushing **Klopatra** to users of illegal streaming services, widening the risk of covert banking theft across **Europe**. By disguising the Trojan...
Mobdro lure campaign delivering Klopatra to illegal streaming users
CampaignAbout this happening: The **Mobdro** lure campaign is pushing **Klopatra** to users of illegal streaming services, widening the risk of covert banking theft across **Europe**. By disguising the Trojan...
Timeline
-
26.05.2026 03:00 2 articles · 1d ago
BTMOB spreads through phishing campaigns across Brazil and beyond
Initial DisclosureBTMOB is an Android RAT sold as malware-as-a-service with a no-code APK builder that lets buyers create custom payloads without writing code; ESET says it is being spread through phishing sites that pose as streaming services, crypto-mining platforms, or other recognizable brands and redirect victims to fake app stores, while the malware can exfiltrate data, capture screenshots, record on-device activity, and abuse Android's Accessibility Services for deeper access.
Show sources
- BTMOB Android RAT Spreads Through No-Code Builder Tooling — www.infosecurity-magazine.com — 26.05.2026 17:00
- BTMOB Android RAT Spreads Through No-Code Builder Tooling — www.infosecurity-magazine.com — 26.05.2026 17:00