New BTMOB Android Malware Enables Full Device Takeover

Threat actors have been observed delivering phishing messages that point victims to websites posing as legitimate services, which redirect to fake application stores mimicking legitimate repositories and serving the malicious APK.Once executed on a device, BTMOB attempts to obtain excessive access, abusing Android Accessibility Services to elevate its privileges on the system without user interaction.“Unlike banking trojans, which ‘only’ aim to steal people’s financial credentials or intercept their financial transactions, BTMOB gives adversaries broader options: exfiltrate a range of sensitive data, capture screenshots and record activity on the device, and ultimately take remote control of it,” ESET says.The cybersecurity firm notes that the malware is mutating quickly, with numerous variants being observed within a short period of time, but that certain infrastructure patterns remained unmodified across iterations.BTMOB has been mainly observed in attacks in Latin America, but the risk it poses stretches beyond the region, ESET warns.Related:Critical Remote Code Execution Vulnerability Patched in AndroidRelated:Mirax RAT Targeting Android Users in EuropeRelated:PromptSpy Android Malware Abuses Gemini AI at Runtime for PersistenceRelated:New Keenadu Android Malware Found on Thousands of Devices

Once executed on a device, BTMOB attempts to obtain excessive access, abusing Android Accessibility Services to elevate its privileges on the system without user interaction.“Unlike banking trojans, which ‘only’ aim to steal people’s financial credentials or intercept their financial transactions, BTMOB gives adversaries broader options: exfiltrate a range of sensitive data, capture screenshots and record activity on the device, and ultimately take remote control of it,” ESET says.The cybersecurity firm notes that the malware is mutating quickly, with numerous variants being observed within a short period of time, but that certain infrastructure patterns remained unmodified across iterations.BTMOB has been mainly observed in attacks in Latin America, but the risk it poses stretches beyond the region, ESET warns.Related:Critical Remote Code Execution Vulnerability Patched in AndroidRelated:Mirax RAT Targeting Android Users in EuropeRelated:PromptSpy Android Malware Abuses Gemini AI at Runtime for PersistenceRelated:New Keenadu Android Malware Found on Thousands of Devices

“Unlike banking trojans, which ‘only’ aim to steal people’s financial credentials or intercept their financial transactions, BTMOB gives adversaries broader options: exfiltrate a range of sensitive data, capture screenshots and record activity on the device, and ultimately take remote control of it,” ESET says.The cybersecurity firm notes that the malware is mutating quickly, with numerous variants being observed within a short period of time, but that certain infrastructure patterns remained unmodified across iterations.BTMOB has been mainly observed in attacks in Latin America, but the risk it poses stretches beyond the region, ESET warns.Related:Critical Remote Code Execution Vulnerability Patched in AndroidRelated:Mirax RAT Targeting Android Users in EuropeRelated:PromptSpy Android Malware Abuses Gemini AI at Runtime for PersistenceRelated:New Keenadu Android Malware Found on Thousands of Devices

The cybersecurity firm notes that the malware is mutating quickly, with numerous variants being observed within a short period of time, but that certain infrastructure patterns remained unmodified across iterations.BTMOB has been mainly observed in attacks in Latin America, but the risk it poses stretches beyond the region, ESET warns.Related:Critical Remote Code Execution Vulnerability Patched in AndroidRelated:Mirax RAT Targeting Android Users in EuropeRelated:PromptSpy Android Malware Abuses Gemini AI at Runtime for PersistenceRelated:New Keenadu Android Malware Found on Thousands of Devices

BTMOB has been mainly observed in attacks in Latin America, but the risk it poses stretches beyond the region, ESET warns.Related:Critical Remote Code Execution Vulnerability Patched in AndroidRelated:Mirax RAT Targeting Android Users in EuropeRelated:PromptSpy Android Malware Abuses Gemini AI at Runtime for PersistenceRelated:New Keenadu Android Malware Found on Thousands of Devices

Related:Critical Remote Code Execution Vulnerability Patched in AndroidRelated:Mirax RAT Targeting Android Users in EuropeRelated:PromptSpy Android Malware Abuses Gemini AI at Runtime for PersistenceRelated:New Keenadu Android Malware Found on Thousands of Devices

Related:Mirax RAT Targeting Android Users in EuropeRelated:PromptSpy Android Malware Abuses Gemini AI at Runtime for PersistenceRelated:New Keenadu Android Malware Found on Thousands of Devices

Related:PromptSpy Android Malware Abuses Gemini AI at Runtime for PersistenceRelated:New Keenadu Android Malware Found on Thousands of Devices

Related:New Keenadu Android Malware Found on Thousands of Devices

Ionut Arghire is an international correspondent for SecurityWeek.

Source: SecurityWeek