HomeIntelligenceBrief
BREACH BRIEF🟠 High ThreatIntel

Malware-as-a-Service Android RAT BTMOB Enables Custom Phishing Payloads Targeting Latin America

A new Android remote‑access trojan, BTMOB, is being offered as a Malware‑as‑a‑Service platform. The service provides an easy‑to‑use APK builder that lets cybercriminals craft phishing‑laden apps with custom permissions, enabling data theft and financial transaction interception across Brazil and other Latin American markets. For third‑party risk managers, the rapid, on‑demand generation of malicious payloads challenges traditional mobile security controls.

LiveThreat™ Intelligence · 📅 May 29, 2026· 📰 bleepingcomputer.com
🟠
Severity
High
TI
Type
ThreatIntel
🎯
Confidence
High
🏢
Affected
4 sector(s)
Actions
5 recommended
📰
Source
bleepingcomputer.com

BTMOB Android Malware‑as‑a‑Service Generates Custom Phishing Payloads Targeting Latin America

What Happened – A new Android remote‑access trojan, BTMOB, is being sold as a Malware‑as‑a‑Service (MaaS) on clear‑web forums and private Telegram channels. The service includes an APK builder that lets buyers craft phishing‑laced apps with custom permissions, hide the icon, disable Google Play, and hijack Android Accessibility Services for elevated control.

Why It Matters for TPRM

  • Enables threat actors to rapidly produce tailored malicious apps that can bypass single‑layer mobile defenses.
  • Increases the likelihood of data exfiltration from employee‑owned devices in BYOD environments.
  • Highlights a supply‑chain risk where third‑party mobile app vendors or contractors could inadvertently distribute compromised binaries.

Who Is Affected – Enterprises with BYOD policies, mobile‑first SaaS providers, financial services firms, and any organization whose workforce relies on Android devices in Brazil, Argentina, and broader Latin America.

Recommended Actions – Enforce installation of apps only from the official Google Play Store, deploy mobile threat defense (MTD) solutions, restrict or monitor Accessibility Service permissions, and vet third‑party mobile app developers for security hygiene.

Technical Notes – BTMOB is delivered via phishing sites masquerading as streaming or crypto‑mining services and uses Android Accessibility Services to gain elevated privileges without additional user interaction. The builder lets attackers select permissions (e.g., disable Google Play, hide icon) and embed custom phishing lures. No known CVE is associated; the threat relies on social engineering and abuse of legitimate Android APIs. Source: BleepingComputer

📰 Original Source
https://www.bleepingcomputer.com/news/security/btmob-android-malware-service-generates-custom-phishing-payloads/

This LiveThreat Intelligence Brief is an independent analysis. Read the original reporting at the link above.

From the Verisq platform · Security Awareness

Awareness is a control you can evidence too.

Verisq AI Trust Operations records training completion and policy adoption as audit evidence — turning 'we train our staff' into something you can actually prove.

See how Verisq AI Trust Operations covers awareness →