TechTarget and Informa Tech’s Digital Business Combine. TechTarget and Informa TechTarget and Informa Tech’s Digital Business Combine. Together, we power an unparalleled network of 220+ online properties covering 10,000+ granular topics, serving an audience of 50+ million professionals with original, objective content from trusted sources. We help you gain critical insights and make more informed decisions across your business priorities. Dark Reading Resource Library Black Hat News Omdia Cybersecurity Advertise Newsletter Sign-Up Newsletter Sign-Up Cybersecurity Topics Related Topics Application Security Cybersecurity Careers Cloud Security Cyber Risk Cyberattacks & Data Breaches Cybersecurity Analytics Cybersecurity Operations Data Privacy Endpoint Security ICS/OT Security Identity & Access Mgmt Security Insider Threats IoT Mobile Security Perimeter Physical Security Remote Workforce Threat Intelligence Vulnerabilities & Threats Recent in Cybersecurity Topics Threat Intelligence AI-Assisted Exploit Development Outpaces Scanner Detection AI-Assisted Exploit Development Outpaces Scanner Detection by Elizabeth Montalbano May 27, 2026 5 Min Read Application Security Feeding Frenzy: 'Megalodon' Malware Infects Thousands of GitHub Repos Feeding Frenzy: 'Megalodon' Malware Infects Thousands of GitHub Repos by Rob Wright May 26, 2026 4 Min Read World Related Topics DR Global Middle East & Africa Asia Pacific Latin America See All The Edge DR Technology Events Related Topics Upcoming Events Podcasts Webinars SEE ALL Resources Related Topics Resource Library Newsletters Podcasts Reports Videos Webinars White Papers Heard It From a CISO Reporters' Notebook Dark Reading's 20th Partner Perspectives Meet the Editors Advertise With Us About Us Dark Reading Resource Library Cyberattacks & Data Breaches Endpoint Security Mobile Security Remote Workforce News BTMOB RAT Spreads Across Brazil, LatAm via MaaS Model An advanced remote access Trojan is propagating online. Notably, it's delivered via an operator licensing model and features a no-code malware-development interface. Elizabeth Montalbano , Contributing Writer May 28, 2026 4 Min Read Source: Rafapress via Shutterstock An emerging Android remote access Trojan (RAT) that offers would-be attackers a no-code interface for building malicious banking apps has resurfaced. This time, it's using a malware-as-a-service (MaaS) model that lowers the barrier to entry for cybercriminals to achieve full mobile device takeover with little expert knowledge. The RAT — dubbed BTMOB and first described by researchers at Cyble last year as an offshoot of SpySolr malware — is notable for its potential to do significant damage via a range of capabilities that extend beyond the usual RAT behavior, according to a ESET security researchers . While typical banking Trojans are aimed primarily at stealing financial credentials or intercepting user transactions, BTMOB gives adversaries broader options. These include the ability to exfiltrate a range of sensitive data, capture screenshots, record activity on the device, and ultimately take remote control of it. Related: Ransomware Actors Show Up In Person to Steal Law Firm Data A No-Code Malicious Payload Generator In the campaign, which targets users in Brazil and Latin America, the RAT is both commodity and payload. As a commodity, it is sold along with an APK builder interface that allows anyone to generate new payloads such as malicious Android apps, as well as adapt phishing lures for specific regions rapidly without writing any code, noted Daniel Cunha Barbosa, a security researcher for ESET, in the post. The campaign distributes the RAT to cybercriminals through Telegram channels and other websites, and goes after victims via phishing sites impersonating streaming services, cryptocurrency platforms, and legitimate app stores. The malware comes with a relatively inexpensive price tag of $5,000 for a lifetime license, which in the digital economy of mobile device compromise, is a relative bargain, notes Jacob Krell, senior director of secure AI solutions & cybersecurity for Suzu Labs. "Mobile is where the economics of industrialized cybercrime meet the highest returns in the exploit market," he says, adding that Crowdfense, a well-known vulnerability research hub, currently pays up to $5 million for a single Android zero-click chain. "When the returns are that high, every improvement in mobile campaign tooling translates directly into profit," Krell says. In addition, the MaaS model also lowers the barrier for less sophisticated adversaries, Barbosa noted, citing a Dark Web forum that in January claimed to offer BTMOB-related files for free download. "The forum later went offline, and our search didn’t recover the payload(s), but the episode points to a familiar risk with commercial malware: access rarely stays contained forever and the tool can move into secondary markets through resale, barter, or sharing inside closed groups," Barbosa wrote. Related: Latin American Cybercriminals Hoover Up Government Data Social Engineering for the Cybercrime Win In maliciious campaigns that deliver a BTMOB payload, operators send victims to phishing websites that pose as streaming services, cryptocurrency mining platforms, or other familiar online services. From there, they then nudge them toward fake app stores that mimic legitimate repositories and prompt them to install a malicious APK. Because BTMOB allows operators to adapt lures to specific regions, it gives attackers a strong social-engineering play and unlimited geographic reach, Barbosa noted. He cited a campaign in Argentina that spread BTMOB while impersonating Argentina's tax and customs authorities as a recent example. This, combined with the RAT's extended capabilities, gives the malware a wider reach for doing damage beyond the region in which it's currently being distributed, he said. "The combination of phishing-led delivery, ready-made app-building tooling and device takeover capabilities makes BTMOB a threat to watch well beyond Brazil or Latin America," Barbosa wrote. Related: Processes & Culture Top Reasons Behind Data Breaches Once installed, BTMOB seeks extensive access to the device by abusing Android Accessibility Services to gain elevated permissions and granting itself further system access and control over the device without additional user interaction. Defending Mobiles Device From Malware Mobile malware remains a significant threat to both enterprise and personal users alike, and ESET recommended a few basic tips to keep users safe from BTMOB and the range of other Android-based malware making the rounds. One basic best practice is to only download apps from the official Google Play Store and its repositories, and beware of fakes impersonating Google's mobile app marketplace. Enterprises also should make this a mandate across their employee base, Barbosa noted. Basic phishing security hygiene applies as well, such as treating unsolicited links delivered via email, messaging apps, social media, and targeted advertisements with suspicion and not clicking on anything that even remotely seems like a scam, he said. Finally, both individuals and organizations "should use mobile security solutions and treat mobile devices with the same rigor as other machines and environments," Barbosa wrote. For enterprise defenders, he included indicators of compromise in the post to help security administrators identify signs of compromise on a network. About the Author Elizabeth Montalbano Contributing Writer Elizabeth Montalbano is freelance writer, editor, and journalist with 30 years of professional experience and a master's degree from Arizona State University. Her areas of expertise include enterprise technology, cybersecurity, business, and culture. During her long career, Elizabeth has lived and worked as a full-time journalist in Phoenix, San Francisco, and New York City. She specializes in news coverage and analysis, using her years of experience to look at the current state of cybersecurity with a critical gaze. She currently resides in a village on the southwest coast of Portugal, where in her free time she enjoys surfing, hiking with her dogs, growing plants, and playing and performing as a singer and musician. See more from Elizabeth Montalbano Want more Dark Reading stories in your Google search results? Add Us Now More Insights Industry Reports How Organizations Are Managing Incident Response How Enterprises Are Developing Secure Applications Inside RSAC 2026: security leaders reveal the risks redefining your defense strategy Essential News & Insights from Black Hat USA 2025 How Enterprises Are Harnessing Emerging Technologies in Cybersecurity Access More Research Webinars The Frontier AI Era: Why Cybersecurity Must Move at Machine Speed Build vs. Buy: The Hidden Cost of Building Your Own AI Security Stack Defending in the Shadow Era: When the CVE Feed Goes Dark Building SecOps That Make the Most of Every Dollar AI-Powered Credential Security: Intelligence Without Exposure More Webinars Editor's Choice Cybersecurity Operations 20 Leaders Who Built the CISO Era: 2 Decades of Change 20 Leaders Who Built the CISO Era: 2 Decades of Change by Dark Reading Editorial Team May 12, 2026 41 Min Read Application Security It's Patch Tuesday for Microsoft & Not a Zero-Day In Sight It's Patch Tuesday for Microsoft & Not a Zero-Day In Sight by Jai Vijayan May 12, 2026 5 Min Read Want more Dark Reading stories in your Google search results? Keep up with the latest cybersecurity threats, newly discovered vulnerabilities, data breach information, and emerging trends. Delivered daily or weekly right to your email inbox. Subscribe Webinars The Frontier AI Era: Why Cybersecurity Must Move at Machine Speed Tuesday, June 23, 2026 1:00 PM EDT Build vs. Buy: The Hidden Cost of Building Your Own AI Security Stack Thurs, June 25, 2026, at 1pm EST Defending in the Shadow Era: When the CVE Feed Goes Dark Tues,