**BTMOB** is advertised on the clearweb, offering an APK builder that simplifies payload customization without requiring coding expertise, according to cybersecurity firm **ESET**. ### Payload Customization Customers can select specific permissions for the APK to request upon installation. They can also define actions such as disabling **Google Play**, hiding the app icon, or preventing sleep mode, making it difficult for victims to remove the malware.  *BTMOB's payload builder. Source: ESET* ### Targeting and History **BTMOB** is primarily active in Brazil and Latin America. **ANYRUN** analyzed it back in February 2025, and **Cyble** documented it as an advanced Android malware. At the time, **Cyble** identified approximately 15 samples of **BTMOB** 2.5 within a two-week period, indicating active development. ### Pricing and Distribution According to **ESET** researchers, sales are conducted through private **Telegram** channels. A monthly subscription costs $700, while a lifetime license is priced at $5,000.  *BTMOB clearnet site. Source: ESET* ### Evolution and Tactics **BTMOB** appears to be an evolution of the **SpySolr** malware family and is distributed via phishing websites disguised as streaming services and cryptocurrency mining platforms. Potential victims are often redirected to fake **Google Play** portals, prompting them to download malicious apps. Recently, campaigns using an Argentinian government agency as a lure have been observed.  *Malicious apps on fake Google Play sites. Source: Merl* ### Exploiting Accessibility Services The malware platform facilitates the generation of custom, localized phishing lures tailored to specific campaigns. Once installed, it leverages Android Accessibility Services to gain elevated permissions and system access without further user interaction. ### Mitigation While **ESET** is actively tracking the threat and updating detection rules, the rapid generation of new payloads can overwhelm single-layered security defenses. Android users are advised to only install apps from the official **Google Play Store**, utilize **Play Protect** for scanning, and carefully review and revoke unnecessary risky permissions, particularly Accessibility access.