BTMOB Android RAT Sold With No-Code Builder Lowers Entry Bar for Mobile Malware
Researchers at ESET have identified BTMOB, a new Android RAT sold as a malware-as-a-service platform that includes a no-code APK builder, enabling attackers to rapidly generate targeted phishing lures with minimal technical skill.
ESET researchers have documented a new Android remote access trojan (RAT) called BTMOB that is being sold as a malware-as-a-service (MaaS) platform with a built-in, no-code APK builder. The tool allows buyers to quickly generate customized malicious apps tailored for specific regions, dramatically lowering the technical barrier to deploying mobile malware. First documented in February 2025, BTMOB evolved from the earlier SpySolr family and represents a shift from traditional banking trojans toward more versatile device-takeover capabilities.
BTMOB's most distinctive feature is its commercial packaging — the RAT ships with an APK builder interface that lets buyers generate new payloads and retool phishing lures for specific countries without writing any code. This no-code builder is marketed alongside the malware itself, which is sold through a MaaS model promoted on a surface-web page that channels buyers to a Telegram operator, with additional seller accounts on X and Instagram. ESET reported a $5,000 lifetime license plus a monthly support fee — a modest investment relative to the potential proceeds of a successful fraud operation.
Distribution follows a familiar social-engineering pattern. Operators steer victims to phishing sites posing as streaming services, crypto-mining platforms or other recognizable brands, then funnel them toward fake app stores that prompt installation of a malicious APK. Once on the device, BTMOB abuses Android's Accessibility Services to escalate its own permissions and grant itself deeper system access without further user interaction. Researchers have already seen the kit adapted to impersonate local institutions, including campaigns spoofing Argentina's tax and customs authorities.
Beyond credential theft, BTMOB provides a full suite of device-takeover capabilities. It can exfiltrate SMS messages, call logs, and device data; capture screenshots; record on-device activity; and hand operators remote control of the phone. This extends well beyond the scope of a typical banking trojan, positioning BTMOB as a multi-purpose espionage and fraud tool.
The economic model behind BTMOB makes containment particularly challenging. Because new variants can be spun up so quickly using the no-code builder, ESET warned defenders to expect rapid payload turnover rather than a fixed set of samples. In January 2026, a dark web forum briefly advertised BTMOB files for free before going offline — a reminder that commercial malware rarely stays locked to paying customers once resale and sharing take hold.
ESET advised users to install apps only from official stores, treat unsolicited links with suspicion, and run mobile security software with the same rigor applied to other devices. "Corporate security teams must make it clear to employees that a single rogue download could expose the company's crown jewels," ESET concluded. The BTMOB campaign highlights the growing commoditization of Android malware through user-friendly tooling, making sophisticated mobile threats accessible to a wider range of criminal actors.
As no-code malware builders become more common, organizations face an expanding threat landscape where even low-skill attackers can deploy advanced RATs. This trend mirrors broader shifts in the cybercriminal ecosystem toward platform-based business models, lowering barriers to entry and increasing the volume and diversity of mobile threats.