Skip to main content
Emerging ThreatsMalware & Ransomware

ESET Exposes BTMOB Android Malware Service

Discarded Android smartphones and tech components litter a dimly lit urban alleyway.
$700 a month or $5,000 for a lifetime license — those are the prices ESET reports threat actors can pay to obtain BTMOB, an Android remote‑access trojan offered as a malware‑as‑a‑service.

ESET: BTMOB offered openly as a malware‑as‑a‑service

Security company ESET describes BTMOB as an Android remote access trojan (RAT) marketed on the clearweb and sold through private Telegram channels. The offering includes an APK builder that lets customers generate tailored payloads without writing code. According to ESET, the service model supports subscriptions — $700 per month — or a one‑time $5,000 lifetime license. The vendor-like presentation and the builder interface are consistent with a malware‑as‑a‑service (MaaS) platform designed to lower the technical barrier for attackers.

Distribution: phishing portals and fake Google Play pages

ESET reports that operators distribute BTMOB via phishing websites that impersonate streaming services and cryptocurrency mining platforms. Potential victims are redirected to portals mimicking Google Play and prompted to download fake apps. Researchers Johnk3r and Merl recently observed campaigns that used an Argentinian government agency as a lure. The platform also helps operators generate custom, localized phishing lures to match the campaign topic, increasing the plausibility of the social engineering effort.

Capabilities: what the payload can do once installed

BTMOB provides a broad feature set. The trojan can steal specific data, intercept financial transactions, capture screenshots, and exercise remote control over an infected device. The APK builder allows customers to choose which Android permissions the malicious app requests at installation and to define actions such as disabling Google Play, hiding the app icon to make removal harder, or preventing the device from entering sleep mode. Once installed, BTMOB abuses Android Accessibility Services to gain elevated permissions and additional system access without further user interaction.

Lineage and evolution: SpySolr roots, active development

ESET characterizes BTMOB as an evolution of the SpySolr malware family. It is not a one‑off: ANYRUN analyzed the malware in February 2025, and Cyble documented BTMOB as an advanced Android threat. Cyble observed roughly 15 samples of BTMOB 2.5 in nearly two weeks, a cadence that Cyble interpreted as active development by the author. ESET warns that the builder’s rapid generation of new payloads can blunt the effectiveness of single‑layered defenses and static detection rules.

What this means for Android users, security teams, and threat actors

Android users: Install apps only from the official Google Play Store, scan devices with Play Protect, and revoke risky permissions — notably Accessibility access — when they are not explicitly needed. ESET’s guidance stresses these specific steps as primary user mitigations against the kinds of social engineering and permission abuse BTMOB leverages.

Security teams and defenders: The modular builder and localization features mean defenders should expect frequent, slightly varied payloads that evade simple signature‑based detection. ESET notes it updates static detection rules, but also highlights that the rapid churn of custom payloads can undermine single‑layered defenses. Teams should consider multi‑layered detection and controls tuned to behavioral indicators such as misuse of Accessibility Services and unexpected requests to disable Google Play or prevent sleep mode.

Threat actors: The clearweb advertising, builder interface, and private‑channel sales model offer a low‑effort route to deploy customized Android RATs. The availability of localized templates and a fake Google Play flow increases the appeal of BTMOB to operators targeting Brazil and Latin America, where ESET says the malware is mostly active.

BTMOB illustrates a continuing shift in the malware market: commodity tooling plus social‑engineering templates creates a turnkey threat that can be localized and rapidly modified. For defenders and users alike, the practical choice is not simply better signatures, but enforcement of safer installation habits and focused controls around the permissions and services BTMOB abuses.

Read the original BleepingComputer report