BTMOB Android MaaS platform expands low-code phishing payload production
Threat Actor Meta
Summary
Hide ▲
Show ▼
BTMOB has been exposed as a malware-as-a-service Android trojan with a builder interface, making it easier for cybercriminals to mass-produce tailored phishing payloads and expand mobile fraud operations. Its clearweb advertising and Telegram sales channels lower the barrier to entry for buyers seeking ready-made Android attack infrastructure. The service's customization features and regional focus increase the scale and flexibility of credential-theft and transaction-fraud activity.
Related Happenings
RedWing Android spyware rented through Telegram
Malware Activity
H score21
First: 08.07.2026 18:30
Last: 08.07.2026 18:30
Sources 1
About this happening:
The **RedWing** Android spyware operation is being rented through **Telegram**, lowering the barrier for criminals to hijack phones and steal **banking credentials**. The malware...
RedWing Android spyware rented through Telegram
Malware ActivityAbout this happening: The **RedWing** Android spyware operation is being rented through **Telegram**, lowering the barrier for criminals to hijack phones and steal **banking credentials**. The malware...
RedWing Android bank-fraud malware rental service
Malware Activity
H score21
First: 07.07.2026 20:10
Last: 07.07.2026 20:10
Sources 1
About this happening:
The **RedWing** Android malware service is being rented on **Telegram** to steal **banking logins**, **OTPs**, and device control, raising fraud risk for **banking and cryptocurre...
RedWing Android bank-fraud malware rental service
Malware ActivityAbout this happening: The **RedWing** Android malware service is being rented on **Telegram** to steal **banking logins**, **OTPs**, and device control, raising fraud risk for **banking and cryptocurre...
Google Play Protect adds warnings and app disabling for compromised SDK abuse
Security Tool/Service
H score11
First: 03.07.2026 12:35
Last: 03.07.2026 12:35
Sources 1
About this happening:
**Google Play Protect** was updated in **July 2026** to **warn Android users automatically** and **disable apps** tied to **compromised SDKs**, limiting abuse of consumer devices...
Google Play Protect adds warnings and app disabling for compromised SDK abuse
Security Tool/ServiceAbout this happening: **Google Play Protect** was updated in **July 2026** to **warn Android users automatically** and **disable apps** tied to **compromised SDKs**, limiting abuse of consumer devices...
Google Android Developer Verifier enforcement rollout for verified app installs
Security Tool/Service
H score14
First: 22.06.2026 15:45
Last: 22.06.2026 15:45
Sources 1
About this happening:
Google is **enforcing Android developer verification** on **September 30, 2026**, blocking normal installs of unverified apps on certified Android phones in **Brazil, Indonesia, S...
Google Android Developer Verifier enforcement rollout for verified app installs
Security Tool/ServiceAbout this happening: Google is **enforcing Android developer verification** on **September 30, 2026**, blocking normal installs of unverified apps on certified Android phones in **Brazil, Indonesia, S...
Rokarolla device-profiling targeting campaign
Campaign
H score32
First: 16.06.2026 23:04
Last: 16.06.2026 23:04
Sources 1
About this happening:
The **Rokarolla** Android campaign now profiles infected devices to assign a **unique identifier** to each victim, enabling repeated tracking and coordinated financial-fraud activ...
Rokarolla device-profiling targeting campaign
CampaignAbout this happening: The **Rokarolla** Android campaign now profiles infected devices to assign a **unique identifier** to each victim, enabling repeated tracking and coordinated financial-fraud activ...
Timeline
-
29.05.2026 00:10 2 articles · 1mo ago
ESET exposes BTMOB Android malware-as-a-service platform
Initial DisclosureESET identifies BTMOB as an Android remote access trojan sold as malware-as-a-service on the clearweb and in private Telegram channels, with an APK builder that generates customized phishing payloads. The service targets users mainly in Brazil and Latin America, can mimic Google Play portals, and abuses Android Accessibility Services to gain elevated access and additional system control; the malware has also been associated with campaigns using an Argentinian government agency as a lure and with capabilities for data theft, financial interception, screenshot capture, and remote control.
Show sources
- BTMOB Android malware service generates custom phishing payloads — www.bleepingcomputer.com — 29.05.2026 00:10
- BTMOB Android malware service generates custom phishing payloads — www.bleepingcomputer.com — 29.05.2026 00:10