Malware BTMOB Android RAT poses significant threat with easy-to-use builder May 27, 2026 Share By SC Staff As reported by ESET's We Live Security, BTMOB is an Android remote access trojan (RAT) that, while not detected in high volumes, presents a significant threat due to its capabilities and ease of use. Its combination of phishing-based delivery, a user-friendly app-building tool, and comprehensive device control features makes it a concern for users globally, extending beyond its initial focus on Brazil and Latin America. First identified in February 2025, BTMOB evolved from the SpySolr malware. Unlike typical banking trojans, BTMOB offers adversaries a wider range of malicious actions, including data exfiltration, screen capture, activity recording, and complete remote device control. A key feature is its APK builder interface, which allows users to create new malicious payloads and adapt phishing lures for different regions without needing to write any code. Distribution typically begins with social engineering tactics, leading victims to phishing websites that mimic legitimate services. From there, users are directed to fake app stores to download a malicious APK. BTMOB abuses Android Accessibility Services to gain elevated permissions and further system access. Marketed as a malware-as-a-service (MaaS), BTMOB is sold with a lifetime license and monthly support, lowering the barrier for entry for less sophisticated attackers. This model also risks the tool moving into secondary markets, increasing its accessibility. The rapid generation of new variants means defenders face a constantly evolving threat landscape, with ESET products detecting it under various names like MSIL/BtmobRat and Android/Spy.Agent.EED. Source: We Live Security SC Staff Related Malware Fake AI tool websites used to steal developer data SC Staff May 26, 2026 The attack campaign employs SEO poisoning to elevate fake installation pages in search engine results, leading developers searching for AI tools like Google Gemini CLI or Anthropic's Claude Code to typosquatted domains. Malware Kash Patel’s merchandise site hacked to distribute malware SC Staff May 22, 2026 The attack on Based Apparel, reportedly an attempt to distribute infostealer malware designed to steal user credentials, was first brought to light by a user on X. Malware New Linux malware ‘Showboat’ targets Middle East telecom provider SC Staff May 21, 2026 Showboat is believed to be utilized by Chinese-affiliated threat actors, with command-and-control infrastructure linked to Chengdu, China. Get daily email updates SC Media's daily must-read of the most current and pressing daily news Business Email By clicking the Subscribe button below, you agree to SC Media Terms of Use and Privacy Policy . Subscribe Related Terms Adware You can skip this ad in 5 seconds