Find notable cyber news and cases, enriched with sources, timelines, and signals.

Grandoreiro and BTMOB banking trojan activity targeting Windows and Android

Malware Activity
First reported
Last updated
Happening score
H score 25
2 unique sources, 2 articles

Summary

Hide ▲

BTMOB is an Android remote access trojan sold as malware-as-a-service on the clearweb and in private Telegram channels, with a builder that generates customized phishing payloads. The activity is mostly active in Brazil and Latin America, including campaigns that use localized lures and fake Google Play delivery. The malware can steal data, intercept financial transactions, capture screenshots, and abuse Android Accessibility Services for elevated access. ESET also ties the offering to $700 monthly pricing or a $5,000 lifetime license.

Related Happenings

RedWing Android spyware rented through Telegram

Malware Activity
H score21 First: 08.07.2026 18:30 Last: 08.07.2026 18:30 Sources 1

About this happening: The **RedWing** Android spyware operation is being rented through **Telegram**, lowering the barrier for criminals to hijack phones and steal **banking credentials**. The malware...

RedWing Android bank-fraud malware rental service

Malware Activity
H score21 First: 07.07.2026 20:10 Last: 07.07.2026 20:10 Sources 1

About this happening: The **RedWing** Android malware service is being rented on **Telegram** to steal **banking logins**, **OTPs**, and device control, raising fraud risk for **banking and cryptocurre...

Google Play Protect adds warnings and app disabling for compromised SDK abuse

Security Tool/Service
H score11 First: 03.07.2026 12:35 Last: 03.07.2026 12:35 Sources 1

About this happening: **Google Play Protect** was updated in **July 2026** to **warn Android users automatically** and **disable apps** tied to **compromised SDKs**, limiting abuse of consumer devices...

Vo1d botnet campaign targeting unofficial Android-based TV boxes

Campaign
H score88 First: 18.06.2026 20:37 Last: 18.06.2026 20:37 Sources 1

About this happening: **NetNut** used the **Popa botnet** and deceptive SDKs on **off-brand Android-based smart TVs**, streaming media boxes, and unofficial apps to turn home connections into **residen...

Latest development: 03.07.2026 12:35

Google disabled all Google accounts used by NetNut for malware command-and-control, updated Google Play Protect to warn Android users, and disabled apps containing the compromised SDKs. The FBI’s seizure banner appeared on netnut.com while netnut.io briefly remained accessible, and Google said the coordinated actions caused significant degradation to NetNut’s proxy network and business operations.

Rokarolla device-profiling targeting campaign

Campaign
H score32 First: 16.06.2026 23:04 Last: 16.06.2026 23:04 Sources 1

About this happening: The **Rokarolla** Android campaign now profiles infected devices to assign a **unique identifier** to each victim, enabling repeated tracking and coordinated financial-fraud activ...

Timeline

  1. 27.05.2026 19:10 1 articles · 1mo ago

    BTMOB operator advertises pricing and builder access

    Campaign Scope Update

    The BTMOB operator posts a May 1, 2026 update about faster infrastructure and a refined builder, and a shared video advertises the Android RAT with a $1,200 lifetime license. The post positions BTMOB as ready-made malware tooling available to customers seeking rapid campaign deployment.

    Show sources
  2. 27.05.2026 19:10 3 articles · 1mo ago

    WatchGuard and ESET disclose Grandoreiro and BTMOB banking trojan campaigns

    Initial Disclosure

    WatchGuard and ESET identify two active banking trojan campaigns in Latin America and Europe, with Grandoreiro targeting Windows and BTMOB targeting Android. The activity singles out companies in Spain, Portugal, and Mexico, along with mobile users in Brazil, and relies on phishing, DLL side-loading, WebRTC-related components, and fake Google Play distribution to reach victims.

    Show sources