Skip to main content
Emerging ThreatsMalware & Ransomware

BTMOB Android RAT Exploits No-Code Tools in Global Phishing Campaigns

Smartphone on cluttered desk with login prompt on screen.

"Corporate security teams must make it clear to employees that a single rogue download could expose the company's crown jewels," ESET concluded.

BTMOB's no-code APK builder and commercial model

According to new analysis from ESET, BTMOB is an Android remote access trojan (RAT) that ships with an APK builder interface allowing buyers to generate custom payloads and tailor phishing lures without writing code. The toolkit is offered as a malware-as-a-service (MaaS) product: a surface-web promotional page funnels prospective buyers to a Telegram operator and the seller maintains accounts on X and Instagram. ESET reported a $5,000 lifetime license plus a monthly support fee as the advertised commercial pricing.

Phishing delivery: fake stores, streaming and crypto lures

Distribution, ESET found, relies on social engineering and phishing. Operators direct victims to sites posing as streaming services, crypto-mining platforms or other recognizable brands, then to fake app stores that prompt installation of a malicious APK. The kit has already been adapted to impersonate local institutions — ESET specifically cites campaigns spoofing Argentina's tax and customs authorities — and has been observed spreading through phishing campaigns across Brazil and beyond.

Technical capabilities: Accessibility abuse and full device takeover

BTMOB evolved from the SpySolr family and was first documented in February 2025. Unlike a narrow banking trojan, ESET says BTMOB can exfiltrate data, capture screenshots, record on-device activity and provide operators with remote control of the phone. Once installed, the malware abuses Android's Accessibility Services to escalate its own permissions and obtain deeper system access without further user interaction.

Rapid mutation, resale and the economics of access

ESET warns that the commercial packaging and low technical barrier accelerate variant creation and make containment difficult. Because the kit's APK builder lets buyers quickly retool payloads for specific countries, defenders should expect rapid payload turnover rather than a fixed set of samples. The company also noted that in January 2026 a dark web forum briefly advertised BTMOB files for free before going offline, illustrating that commercial malware can quickly leak or be resold beyond paying customers.

What this means for corporate security teams, end users, and defenders

  • Corporate security teams: ESET's explicit admonition — "Corporate security teams must make it clear to employees that a single rogue download could expose the company's crown jewels" — frames the organizational risk. Teams will need to communicate the specific danger of sideloaded APKs and phishing lures tied to streaming, crypto and spoofed institutional sites.
  • End users: ESET advised installing apps only from official stores, treating unsolicited links with suspicion and running mobile security software with the same rigor applied to other devices. Those recommendations address the delivery vectors observed in BTMOB campaigns.
  • Defenders and incident responders: Expect fast mutation and frequent new samples rather than a stable signature set, ESET cautioned. The presence of an APK builder and a low-cost MaaS model means adversaries can iterate quickly and localize lures; detection strategies should account for rapid churn.

BTMOB is a reminder that commoditized tooling — an APK builder sold through public channels and promoted on mainstream social platforms — can turn ordinary phishing narratives into fully capable device takeover operations. The combination of no-code payload generation, phishing distribution patterns, Accessibility Services abuse and an explicit commercial sales channel changes the calculus: defending against BTMOB is as much about user behavior and procurement signals as it is about technical detection.

Full original report: https://www.infosecurity-magazine.com/news/btmob-android-rat-maas-builder/