BTMOB Android MaaS platform expands low-code phishing payload production
Threat Actor Meta
Summary
Hide ▲
Show ▼
BTMOB has been exposed as a malware-as-a-service Android trojan with a builder interface, making it easier for cybercriminals to mass-produce tailored phishing payloads and expand mobile fraud operations. Its clearweb advertising and Telegram sales channels lower the barrier to entry for buyers seeking ready-made Android attack infrastructure. The service's customization features and regional focus increase the scale and flexibility of credential-theft and transaction-fraud activity.
Related Happenings
BTMOB phishing campaign targeting Brazil and Latin America
Campaign
First: 29.05.2026 00:10
Last: 29.05.2026 00:10
Sources 1
How related:
Researchers Johnk3r and Merl recently spotted BTMOB campaigns that used an Argentinian government agency as a lure.
About this happening:
**BTMOB** phishing activity is using localized fake-app lures to target users in **Brazil** and **Latin America**, increasing the risk of malicious installs and account compromise...
BTMOB phishing campaign targeting Brazil and Latin America
CampaignHow related: Researchers Johnk3r and Merl recently spotted BTMOB campaigns that used an Argentinian government agency as a lure.
About this happening: **BTMOB** phishing activity is using localized fake-app lures to target users in **Brazil** and **Latin America**, increasing the risk of malicious installs and account compromise...
Grandoreiro and BTMOB banking trojan activity targeting Windows and Android
Malware Activity
First: 27.05.2026 19:10
Last: 27.05.2026 19:10
Sources 1
How related:
BTMOB is mostly active in Brazil and Latin America.
About this happening:
**BTMOB** is an **Android remote access trojan** sold as **malware-as-a-service** on the **clearweb** and in private **Telegram** channels, with a builder that generates customize...
Grandoreiro and BTMOB banking trojan activity targeting Windows and Android
Malware ActivityHow related: BTMOB is mostly active in Brazil and Latin America.
About this happening: **BTMOB** is an **Android remote access trojan** sold as **malware-as-a-service** on the **clearweb** and in private **Telegram** channels, with a builder that generates customize...
BTMOB Android RAT no-code builder malware activity
Malware Activity
First: 26.05.2026 17:00
Last: 26.05.2026 17:00
Sources 1
How related:
The APK builder included in the offer provides easy customization of the payload without any need to code.
About this happening:
**BTMOB** is an **Android RAT** sold as **malware-as-a-service** on the **clearweb** and in private **Telegram** channels, with a **no-code APK builder** that generates customized...
BTMOB Android RAT no-code builder malware activity
Malware ActivityHow related: The APK builder included in the offer provides easy customization of the payload without any need to code.
About this happening: **BTMOB** is an **Android RAT** sold as **malware-as-a-service** on the **clearweb** and in private **Telegram** channels, with a **no-code APK builder** that generates customized...
Latest development: 29.05.2026 00:10
BTMOB is openly advertised on the clearweb and in private Telegram channels as a malware-as-a-service (MaaS) platform with an APK builder that customizes phishing payloads without coding. The Android RAT targets users mainly in Brazil and Latin America, uses phishing sites masquerading as streaming services, cryptocurrency mining platforms, and Google Play portals, and custom lures have included an Argentinian government agency theme.
Trapdoor Android malvertising and ad-fraud campaign
Campaign
First: 19.05.2026 19:38
Last: 19.05.2026 19:38
Sources 1
About this happening:
The **Trapdoor** campaign is a **self-sustaining malvertising and ad-fraud operation** targeting **Android users** and turning app installs into revenue through threat-actor-contr...
Trapdoor Android malvertising and ad-fraud campaign
CampaignAbout this happening: The **Trapdoor** campaign is a **self-sustaining malvertising and ad-fraud operation** targeting **Android users** and turning app installs into revenue through threat-actor-contr...
Android 17 expands platform security and privacy protections
Security Tool/Service
First: 12.05.2026 20:00
Last: 12.05.2026 20:00
Sources 1
About this happening:
**Android 17** will add a broad set of **Google**-backed security and privacy controls next month, reducing exposure to **banking scam calls**, **device theft**, and **OTP theft**...
Android 17 expands platform security and privacy protections
Security Tool/ServiceAbout this happening: **Android 17** will add a broad set of **Google**-backed security and privacy controls next month, reducing exposure to **banking scam calls**, **device theft**, and **OTP theft**...
Timeline
-
29.05.2026 00:10 2 articles · 2h ago
ESET exposes BTMOB Android malware-as-a-service platform
Initial DisclosureESET identifies BTMOB as an Android remote access trojan sold as malware-as-a-service on the clearweb and in private Telegram channels, with an APK builder that generates customized phishing payloads. The service targets users mainly in Brazil and Latin America, can mimic Google Play portals, and abuses Android Accessibility Services to gain elevated access and additional system control; the malware has also been associated with campaigns using an Argentinian government agency as a lure and with capabilities for data theft, financial interception, screenshot capture, and remote control.
Show sources
- BTMOB Android malware service generates custom phishing payloads — www.bleepingcomputer.com — 29.05.2026 00:10
- BTMOB Android malware service generates custom phishing payloads — www.bleepingcomputer.com — 29.05.2026 00:10