BTMOB Android Malware‑as‑a‑Service Generates Custom Phishing Payloads Targeting Latin America
What Happened – A new Android remote‑access trojan, BTMOB, is being sold as a Malware‑as‑a‑Service (MaaS) on clear‑web forums and private Telegram channels. The service includes an APK builder that lets buyers craft phishing‑laced apps with custom permissions, hide the icon, disable Google Play, and hijack Android Accessibility Services for elevated control.
Why It Matters for TPRM –
- Enables threat actors to rapidly produce tailored malicious apps that can bypass single‑layer mobile defenses.
- Increases the likelihood of data exfiltration from employee‑owned devices in BYOD environments.
- Highlights a supply‑chain risk where third‑party mobile app vendors or contractors could inadvertently distribute compromised binaries.
Who Is Affected – Enterprises with BYOD policies, mobile‑first SaaS providers, financial services firms, and any organization whose workforce relies on Android devices in Brazil, Argentina, and broader Latin America.
Recommended Actions – Enforce installation of apps only from the official Google Play Store, deploy mobile threat defense (MTD) solutions, restrict or monitor Accessibility Service permissions, and vet third‑party mobile app developers for security hygiene.
Technical Notes – BTMOB is delivered via phishing sites masquerading as streaming or crypto‑mining services and uses Android Accessibility Services to gain elevated privileges without additional user interaction. The builder lets attackers select permissions (e.g., disable Google Play, hide icon) and embed custom phishing lures. No known CVE is associated; the threat relies on social engineering and abuse of legitimate Android APIs. Source: BleepingComputer