Grandoreiro and BTMOB banking trojan activity targeting Windows and Android
Malware Activity
Summary
Hide ▲
Show ▼
BTMOB is an Android remote access trojan sold as malware-as-a-service on the clearweb and in private Telegram channels, with a builder that generates customized phishing payloads. The activity is mostly active in Brazil and Latin America, including campaigns that use localized lures and fake Google Play delivery. The malware can steal data, intercept financial transactions, capture screenshots, and abuse Android Accessibility Services for elevated access. ESET also ties the offering to $700 monthly pricing or a $5,000 lifetime license.
Related Happenings
RedWing Android spyware rented through Telegram
Malware Activity
H score21
First: 08.07.2026 18:30
Last: 08.07.2026 18:30
Sources 1
About this happening:
The **RedWing** Android spyware operation is being rented through **Telegram**, lowering the barrier for criminals to hijack phones and steal **banking credentials**. The malware...
RedWing Android spyware rented through Telegram
Malware ActivityAbout this happening: The **RedWing** Android spyware operation is being rented through **Telegram**, lowering the barrier for criminals to hijack phones and steal **banking credentials**. The malware...
RedWing Android bank-fraud malware rental service
Malware Activity
H score21
First: 07.07.2026 20:10
Last: 07.07.2026 20:10
Sources 1
About this happening:
The **RedWing** Android malware service is being rented on **Telegram** to steal **banking logins**, **OTPs**, and device control, raising fraud risk for **banking and cryptocurre...
RedWing Android bank-fraud malware rental service
Malware ActivityAbout this happening: The **RedWing** Android malware service is being rented on **Telegram** to steal **banking logins**, **OTPs**, and device control, raising fraud risk for **banking and cryptocurre...
Google Play Protect adds warnings and app disabling for compromised SDK abuse
Security Tool/Service
H score11
First: 03.07.2026 12:35
Last: 03.07.2026 12:35
Sources 1
About this happening:
**Google Play Protect** was updated in **July 2026** to **warn Android users automatically** and **disable apps** tied to **compromised SDKs**, limiting abuse of consumer devices...
Google Play Protect adds warnings and app disabling for compromised SDK abuse
Security Tool/ServiceAbout this happening: **Google Play Protect** was updated in **July 2026** to **warn Android users automatically** and **disable apps** tied to **compromised SDKs**, limiting abuse of consumer devices...
Vo1d botnet campaign targeting unofficial Android-based TV boxes
Campaign
H score88
First: 18.06.2026 20:37
Last: 18.06.2026 20:37
Sources 1
About this happening:
**NetNut** used the **Popa botnet** and deceptive SDKs on **off-brand Android-based smart TVs**, streaming media boxes, and unofficial apps to turn home connections into **residen...
Vo1d botnet campaign targeting unofficial Android-based TV boxes
CampaignAbout this happening: **NetNut** used the **Popa botnet** and deceptive SDKs on **off-brand Android-based smart TVs**, streaming media boxes, and unofficial apps to turn home connections into **residen...
Latest development: 03.07.2026 12:35
Google disabled all Google accounts used by NetNut for malware command-and-control, updated Google Play Protect to warn Android users, and disabled apps containing the compromised SDKs. The FBI’s seizure banner appeared on netnut.com while netnut.io briefly remained accessible, and Google said the coordinated actions caused significant degradation to NetNut’s proxy network and business operations.
Rokarolla device-profiling targeting campaign
Campaign
H score32
First: 16.06.2026 23:04
Last: 16.06.2026 23:04
Sources 1
About this happening:
The **Rokarolla** Android campaign now profiles infected devices to assign a **unique identifier** to each victim, enabling repeated tracking and coordinated financial-fraud activ...
Rokarolla device-profiling targeting campaign
CampaignAbout this happening: The **Rokarolla** Android campaign now profiles infected devices to assign a **unique identifier** to each victim, enabling repeated tracking and coordinated financial-fraud activ...
Timeline
-
27.05.2026 19:10 1 articles · 1mo ago
BTMOB operator advertises pricing and builder access
Campaign Scope UpdateThe BTMOB operator posts a May 1, 2026 update about faster infrastructure and a refined builder, and a shared video advertises the Android RAT with a $1,200 lifetime license. The post positions BTMOB as ready-made malware tooling available to customers seeking rapid campaign deployment.
Show sources
- Grandoreiro Malware and BTMOB RAT Campaigns Target Windows and Android Users — thehackernews.com — 27.05.2026 19:10
-
27.05.2026 19:10 3 articles · 1mo ago
WatchGuard and ESET disclose Grandoreiro and BTMOB banking trojan campaigns
Initial DisclosureWatchGuard and ESET identify two active banking trojan campaigns in Latin America and Europe, with Grandoreiro targeting Windows and BTMOB targeting Android. The activity singles out companies in Spain, Portugal, and Mexico, along with mobile users in Brazil, and relies on phishing, DLL side-loading, WebRTC-related components, and fake Google Play distribution to reach victims.
Show sources
- Grandoreiro Malware and BTMOB RAT Campaigns Target Windows and Android Users — thehackernews.com — 27.05.2026 19:10
- Grandoreiro Malware and BTMOB RAT Campaigns Target Windows and Android Users — thehackernews.com — 27.05.2026 19:10
- BTMOB Android malware service generates custom phishing payloads — www.bleepingcomputer.com — 29.05.2026 00:10