BTMOB: The Malware-as-a-Service Erasing Technical Barriers to Android Takeover
ESET researchers have detailed BTMOB, an Android RAT sold as a service featuring a no-code builder. For a $5,000 lifetime fee, even low-skill attackers can gen…
Methodological Note. The following analysis is based on ESET research published on May 26, 2026, corroborated by secondary sources. WeLiveSecurity serves as the primary vendor source; other outlets report on ESET’s findings.
On May 26, 2026, ESET released an analysis of BTMOB, an Android remote access trojan (RAT) evolved from the SpySolr family. The research, led by researchers Johnk3r and Merl, documents a commercial ecosystem where a $5,000 lifetime license—or a $700 monthly subscription—allows buyers to generate custom payloads, design phishing lures, and deploy device takeover campaigns. The integrated APK builder requires zero programming expertise.
- BTMOB is an Android RAT sold via a MaaS model with a no-code APK builder.
- Pricing: $700 monthly or $5,000 for a lifetime license, plus unspecified monthly support fees.
- Sales occur through private Telegram channels, with promotion on X and Instagram.
- Documented campaigns: Streaming services, cryptocurrency mining, and government agencies; specifically targeting Argentina's AFIP.
- Abuses Android Accessibility Services to gain elevated privileges without additional user interaction.
- Capabilities: Data exfiltration, screenshots, activity logging, remote control, and banking app overlays.
No-Code Builders and Rapid Payload Mutation
The defining feature of BTMOB is the customization interface included in the commercial offering. According to ESET’s analysis, the builder allows clients to select from a predefined set of permissions requested upon installation and define specific actions the app should execute.
This architecture facilitates rapid mutation. New variants can be generated quickly, leading to a high turnover of indicators of compromise (IoCs). ESET notes that the rapid generation of new payloads can undermine the effectiveness of traditional signature-based defenses.
ESET detected approximately 15 samples of BTMOB version 2.5 over a two-week period in early 2025. Sources do not specify how many of these samples were generated by the commercial builder versus manual creation.
Accessibility Services: The Trojan Horse of Android Permissions
Once installed, BTMOB abuses Android’s Accessibility Services to secure elevated permissions without further user input. While this technique is well-documented in the mobile threat landscape, its integration into a ready-to-use commercial product significantly amplifies its distributive impact.
Accessibility Services allow apps to read screen content, simulate touches, and intercept text input. BTMOB leverages this channel for overlay attacks on banking applications and continuous data exfiltration.
The choice of Android reflects the system's flexible permission model, the ability to sideload APKs, and the fragmentation of security updates. ESET emphasizes that, unlike traditional banking trojans, BTMOB offers broader functionality: sensitive data exfiltration, screen capture, activity logging, and full remote control.
The Target: Enterprises with BYOD Policies
"Corporate security teams must make it clear to employees that a single rogue download could expose the company's crown jewels" — ESET (via Infosecurity Magazine)
DeafNews Analysis. BTMOB highlights a structural disconnect in enterprise security posture. While organizations have invested heavily in workstation endpoint protection, server EDR, and network segmentation, the mobile device—often personal but with access to corporate email and SaaS apps—remains a vulnerable periphery with inferior protection.
DeafNews Analysis. The MaaS model lowers both the economic and technical barriers to entry. An actor without APK compilation skills can launch localized campaigns using lures that impersonate national tax agencies. ESET documents that attackers can adapt the kit’s features, including phishing lures, to mimic the most attractive brands or agencies in a target country.
Distribution occurs via phishing websites and social media accounts, redirecting victims to fake app stores that mimic Google Play. Users who install the APK grant the malware its requested access through the standard Android installation interface.
Strategic Implications and Mitigation
Editorial Operational Implications. ESET’s sources do not provide specific architectural directives; technical details regarding the C2 infrastructure beyond published IoCs remain undocumented. From this context, the following considerations emerge:
BYOD policies require urgent re-evaluation. A personal device with access to corporate resources that installs a malicious APK exposes all corporate data present on that device. Sources do not specify operational mitigation techniques; ESET’s focus remains on detection and user awareness.
User awareness is the primary documented point of intervention. ESET emphasizes that security teams must clearly communicate the risks of downloading apps from unofficial sources. The rapid customization of lures makes static recognition difficult: a local tax agency, a regional streaming service, or a well-known mining platform can all be impersonated.
Signature-based detection faces structural limits. The rapid generation of unique variants for each campaign compresses the window of effectiveness for single-layered defenses. ESET reports that ~15 samples in two weeks indicate active development, though the source does not quantify the ratio of builder-generated versus manual variants.
Why It Matters
DeafNews Analysis. BTMOB does not represent a technical breakthrough in malware code, but rather an advancement in distribution models. This payload "foundry"—an editorial metaphor for industrial-scale generation—transforms technical expertise into a purchasable commodity.
Documented geography remains centered on Brazil and Latin America, with a specific case involving Argentina's AFIP. While the potential for global expansion exists due to localized lure customization, sources have not confirmed active campaigns outside the region at the time of publication.
A January 2026 incident—where a dark web forum offered BTMOB files for free before going offline—adds a layer of uncertainty. ESET did not recover those payloads, and the source cannot verify if the files were authentic. This unquantified element introduces a risk variable regarding the exclusive control of the toolkit by its commercial operators.
ESET’s research, supported by secondary sources, documents an ecosystem where remote control of Android devices is accessible to those with budgets and skills previously deemed insufficient. The device that enters a meeting with an active camera, accesses corporate mail, and hosts authentication apps is the same device that, if compromised, exposes corporate data without ever needing to bypass a firewall or traditional network segment.
Information has been verified against cited sources and is current as of the publication date.
Sources
- https://www.bleepingcomputer.com/news/security/btmob-android-malware-service-generates-custom-phishing-payloads/
- https://www.securityweek.com/new-btmob-android-malware-enables-full-device-takeover/
- https://www.welivesecurity.com/en/malware/btmob-stealthy-rat-burrowing-deep-android-devices/
- https://www.darkreading.com/cyberattacks-data-breaches/btmob-rat-brazil-latam-maas-model
- https://www.infosecurity-magazine.com/news/btmob-android-rat-maas-builder/
- https://cybersecuritynews.com/btmob-malware-control-android-devices/
- https://gbhackers.com/btmob-malware-allows-cybercriminals/
- https://www.infosecurity-magazine.com/news/cert-in-12-hour-patch-deadline-ai/
- https://www.bleepingcomputer.com/
- https://www.bleepingcomputer.com/download/
- https://deals.bleepingcomputer.com/