An emerging Android remote access Trojan (RAT) equipped with a no-code interface for building unauthorized banking applications has resurfaced. Operating under a malware-as-a-service (MaaS) model, this tool lowers the technical barrier for malicious actors seeking full mobile device control.
The software, identified as BTMOB, was first documented last year by researchers at Cyble as a derivative of the SpySolr malware family. Recent analysis by ESET indicates that BTMOB presents substantial risks to device integrity through capabilities that extend beyond typical banking trojan behavior.
While standard banking trojans focus primarily on intercepting financial credentials or user transactions, BTMOB provides unauthorized parties with broader system access. Its documented functions include exfiltrating sensitive data, capturing screenshots, recording device activity, and establishing remote control over the affected hardware. According to Cyble's technical analysis, the software utilizes WebSocket-based command and control (C&C) communication for real-time execution, supporting advanced capabilities like live screen sharing, audio recording, file management, and automated credential theft through web injections.
Distribution and the malware-as-a-service model
In recent campaigns targeting users in Brazil and Latin America, the software functions as both a service commodity and a distributable application. As a commodity, it includes an APK builder interface. Daniel Cunha Barbosa, a security researcher for ESET, noted that this interface allows operators to rapidly generate new malicious Android applications and adapt phishing lures for specific regions without writing code.
The campaigns distribute the software to malicious actors through Telegram channels and dedicated websites. Affected users are typically directed to phishing sites that impersonate streaming services, cryptocurrency platforms, and legitimate app repositories.
The software suite is currently offered for a lifetime license fee of $5,000. Jacob Krell, senior director of secure AI solutions and cybersecurity at Suzu Labs, notes that this represents a relatively low entry cost within the broader economics of mobile device compromise.
"Mobile is where the economics of industrialized cybercrime meet the highest returns in the vulnerability market," Krell observed. He added that vulnerability research hubs like Crowdfense currently offer up to $5 million for a single Android zero-click chain, demonstrating how improvements in mobile campaign tooling can translate directly into financial returns for threat actors.
The MaaS model also increases availability for less sophisticated operators. Barbosa referenced a January incident on a dark web forum where participants claimed to offer BTMOB-related files for free download. Although the forum later went offline and the specific files were not recovered, this illustrates a familiar risk with commercial malware: tools rarely stay contained and often migrate into secondary markets through resale, barter, or sharing within closed groups.
Social engineering and device control
To deliver the software, operators rely heavily on social engineering. They direct targeted individuals to phishing websites masquerading as familiar online services, then prompt them to download a malicious APK including a simulated app store.
The adaptable nature of the builder allows these operators and tailor their lures geographically. Barbosa referenced a recent campaign in Argentina that impersonated the country's tax and customs authorities. The combination of targeted phishing delivery, ready-made application building, and device takeover capabilities suggests BTMOB may spread well beyond its current concentration in Latin America.
Once installed, the software abuses Android Accessibility Services to elevate its permissions, granting itself extensive system access and control without requiring further user interaction.
Defending mobile devices and enterprise environments
Mobile malware remains a persistent challenge for both enterprise environments and personal users. ESET outlined several foundational practices to help organizations and individuals protect their systems from BTMOB and similar Android-based threats.
A primary recommendation is to restrict app downloads exclusively to the official Google Play Store and its verified repositories, while remaining vigilant against simulated marketplaces. For enterprise environments, administrators should mandate this practice across all corporate-managed devices.
Standard phishing awareness applies as well. Security teams should advise users to treat unsolicited links delivered via email, messaging platforms, social media, and targeted advertisements with caution.
Finally, organizations should deploy mobile security solutions and manage mobile devices with the same rigor applied to traditional workstations. To support network administrators in identifying potential security incidents, ESET has provided specific indicators of compromise (IOCs) alongside their technical analysis to help security teams monitor their environments effectively.