Find notable cyber news and cases, enriched with sources, timelines, and signals.

BTMOB Android MaaS platform expands low-code phishing payload production

Threat Actor Meta
First reported
Last updated
Happening score
H score 21
1 unique sources, 1 articles

Summary

Hide ▲

BTMOB has been exposed as a malware-as-a-service Android trojan with a builder interface, making it easier for cybercriminals to mass-produce tailored phishing payloads and expand mobile fraud operations. Its clearweb advertising and Telegram sales channels lower the barrier to entry for buyers seeking ready-made Android attack infrastructure. The service's customization features and regional focus increase the scale and flexibility of credential-theft and transaction-fraud activity.

Related Happenings

RedWing Android spyware rented through Telegram

Malware Activity
H score21 First: 08.07.2026 18:30 Last: 08.07.2026 18:30 Sources 1

About this happening: The **RedWing** Android spyware operation is being rented through **Telegram**, lowering the barrier for criminals to hijack phones and steal **banking credentials**. The malware...

RedWing Android bank-fraud malware rental service

Malware Activity
H score21 First: 07.07.2026 20:10 Last: 07.07.2026 20:10 Sources 1

About this happening: The **RedWing** Android malware service is being rented on **Telegram** to steal **banking logins**, **OTPs**, and device control, raising fraud risk for **banking and cryptocurre...

Google Play Protect adds warnings and app disabling for compromised SDK abuse

Security Tool/Service
H score11 First: 03.07.2026 12:35 Last: 03.07.2026 12:35 Sources 1

About this happening: **Google Play Protect** was updated in **July 2026** to **warn Android users automatically** and **disable apps** tied to **compromised SDKs**, limiting abuse of consumer devices...

Google Android Developer Verifier enforcement rollout for verified app installs

Security Tool/Service
H score14 First: 22.06.2026 15:45 Last: 22.06.2026 15:45 Sources 1

About this happening: Google is **enforcing Android developer verification** on **September 30, 2026**, blocking normal installs of unverified apps on certified Android phones in **Brazil, Indonesia, S...

Rokarolla device-profiling targeting campaign

Campaign
H score32 First: 16.06.2026 23:04 Last: 16.06.2026 23:04 Sources 1

About this happening: The **Rokarolla** Android campaign now profiles infected devices to assign a **unique identifier** to each victim, enabling repeated tracking and coordinated financial-fraud activ...

Timeline

  1. 29.05.2026 00:10 2 articles · 1mo ago

    ESET exposes BTMOB Android malware-as-a-service platform

    Initial Disclosure

    ESET identifies BTMOB as an Android remote access trojan sold as malware-as-a-service on the clearweb and in private Telegram channels, with an APK builder that generates customized phishing payloads. The service targets users mainly in Brazil and Latin America, can mimic Google Play portals, and abuses Android Accessibility Services to gain elevated access and additional system control; the malware has also been associated with campaigns using an Argentinian government agency as a lure and with capabilities for data theft, financial interception, screenshot capture, and remote control.

    Show sources