BTMOB Android RAT Sells Point‑and‑Click Builder for Full Device Takeover

Overview

• ESET and other researchers say BTMOB is a malware‑as‑a‑service that bundles a web‑based APK builder so buyers can generate customized phishing payloads and sideloadable apps without writing code.
• Operators distribute the RAT through phishing links to fake app stores and portals that impersonate services like streaming sites, crypto tools, and government agencies to trick users into installing malicious APKs.
• Once installed, BTMOB abuses Android Accessibility Services to gain elevated permissions, persist on devices, capture screenshots, exfiltrate data, intercept transactions, and allow remote control.
• The service is promoted openly on the clear web and social accounts and sold via private Telegram channels with reported pricing tiers of about $700 per month or $5,000 for a lifetime license.
• Researchers note most activity so far in Brazil and wider Latin America but warn the kit’s ease of use, rapid variant generation, and resale risk mean defenders must use layered detection, revoke unnecessary Accessibility access, avoid sideloading, and watch for localized lures.