BTMOB is an Android remote access trojan that enables data theft and device takeover. It is distributed through phishing campaigns using lures such as streaming services and cryptocurrency mining. The malware is linked to SpySolr and is sold as a bundled kit with an APK builder interface, allowing threat actors to tailor phishing lures and generate payloads for specific geographies without coding. It is promoted through an open web page, a Telegram channel, and social media accounts. Victims receive phishing messages that lead to websites impersonating legitimate services, which redirect to fake application stores that deliver the malicious APK. After execution, BTMOB requests excessive access by abusing Android Accessibility Services, then exfiltrates sensitive data, captures screenshots, records activity, and provides remote control. Variants appear rapidly, indicating fast mutation.
"Once someone purchases the malicious kit, they can adapt its features, including the phishing lures so they impersonate the brand or agency most likely to lure victims in any given country, ESET notes."
"Threat actors have been observed delivering phishing messages that point victims to websites posing as legitimate services, which redirect to fake application stores mimicking legitimate repositories and serving the malicious APK."
"Once executed on a device, BTMOB attempts to obtain excessive access, abusing Android Accessibility Services to elevate its privileges on the system without user interaction."
"Unlike banking trojans, which 'only' aim to steal people's financial credentials or intercept their financial transactions, BTMOB gives adversaries broader options: exfiltrate a range of sensitive data, capture screenshots and record activity on the device, and ultimately take remote control of it, ESET says."
Read at SecurityWeek
Unable to calculate read time
Collection
[
|
...
]