BTMOB Puts Android Users At Takeover Risk Arabian Post

(MENAFN- The Arabian Post) clearfix">Cybersecurity researchers have warned that BTMOB, an Android remote access trojan, has developed into a potent tool for criminals seeking to hijack smartphones, steal data and run fraud from compromised devices.

The malware, first identified in early 2025, has moved beyond the narrower behaviour associated with many banking trojans. It can capture screens, record activity, manage files, intercept credentials, control device functions and give an attacker near-live access to a victim's handset. Its evolution is drawing close attention because it combines technical capability with an easy deployment model that lowers the skill threshold for cybercriminal groups.

BTMOB is understood to have evolved from SpySolr, another Android malware family linked to remote-control functions. Samples examined since late January 2025 have shown command-and-control communication, WebSocket-based connectivity and abuse of Android Accessibility Services, a legitimate feature designed to assist users with disabilities. Once granted, that permission can be misused to automate clicks, approve further permissions, log keystrokes and interact with apps without the user's informed consent.

The threat is especially serious because the malware is being packaged for use in a malware-as-a-service economy. A ready-made APK builder allows operators to generate malicious apps, adapt phishing pages for different regions and create new lures without writing code. Advertisements linked to the malware have promoted licences, updates and support, pointing to a commercial ecosystem rather than a single isolated campaign.

Attackers have used phishing websites that imitate familiar digital services, including streaming platforms, cryptocurrency schemes, fake app stores and well-known consumer brands. Some campaigns have posed as apps linked to Starlink, Google Chrome, Roku, Avast, Amazon, GB WhatsApp and financial services. Victims are typically directed to download an APK file outside the official Play Store, often after being shown pages that mimic legitimate app-market interfaces.

See also n8n flaws widen automation security risk

Once installed, BTMOB can present prompts that persuade users to enable Accessibility Services. After that step, the malware can silently grant itself additional permissions and carry out actions with little further interaction. The infection chain has also been observed using droppers that present a fake update screen, encouraging users to install a second-stage payload that contains the main spyware component.

Researchers have tracked multiple versions of the malware, including versions 2.5 through later 3. x builds. Some variants have added overlay attacks designed to steal device lock-screen credentials such as PINs, patterns and passwords. Others have targeted payment and wallet applications, including Alipay, by placing transparent overlays over the legitimate interface to capture PIN entries.

BTMOB's remote-control functions make it useful for on-device fraud, a method that has become more attractive as banks and payment platforms strengthen server-side defences. Rather than simply stealing a password and logging in from a new device, criminals can operate from the victim's own handset, where sessions, device fingerprints, SMS messages and trusted-app status may already be present. That makes detection harder for financial institutions and increases the risk of unauthorised transfers, account takeovers and identity theft.

The malware also reflects a wider shift in the Android threat landscape. Criminal developers are increasingly combining social engineering, modular payloads, encrypted components and automated abuse of accessibility permissions. The result is a class of mobile malware that can behave less like a simple credential stealer and more like a remote administration platform built for fraud.

Latin America has been a notable target area, with Brazil featuring in several observed campaigns, but the design of BTMOB makes geographic expansion straightforward. Its builder interface and customisable phishing material allow operators to tailor lures by language, brand and service category. That flexibility means users in other regions could face similar attacks if criminal affiliates decide to redeploy the tool.

See also Seedworm widens stealth attacks on global targets

Security specialists say the main defensive barrier remains user behaviour combined with mobile security controls. Android users should avoid installing apps from links shared through messages, adverts or unfamiliar websites, particularly when those pages imitate Google Play or ask for manual APK installation. Apps should be obtained through official stores, with attention paid to developer identity, installation numbers, user reviews and permission requests.

Organisations with staff using Android devices for work face added exposure. A compromised phone can leak credentials, business messages, one-time passwords, contact lists and files stored in cloud apps. Mobile device management policies that restrict sideloading, monitor risky permissions and separate work data from personal apps can reduce the chance of corporate compromise.

MENAFN28052026000152002308ID1111177476