GoKawiilAn Android remote access trojan named BTMOB is offered to cybercriminals with a builder interface for generating malware payloads tailored to phishing lures.
The malware provides a wide set of features that includes stealing specific data, intercepting financial transactions, capturing screenshots, and remote control capabilities.
Cybersecurity company ESET says that BTMOB is openly advertised on the clearweb and operates as a malware-as-a-service (MaaS) platform. The APK builder included in the offer provides easy customization of the payload without any need to code.
Customers can select from a set of permissions the APK requests upon installation, and define what actions the app should take (e.g., disable Google Play, hide its icon to make it more difficult to remove from the device, or prevent sleep mode).
BTMOB's payload builder
Source: ESET
It should be noted that BTMOB is mostly active in Brazil and Latin America. It is not a new Android trojan, as ANYRUN analyzed it in February 2025, and threat intelligence and digital risk protection company Cyble documented it as an advanced Android malware.
At the time, Cyble spotted about 15 samples of BTMOB 2.5 in nearly two weeks, indicating that the author was actively developing the malware.
According to ESET researchers, sales are conducted in private Telegram channels. Threat actors can get it with a monthly subscription of $700 monthly subscription, or they can pay $5,000 for a lifetime license.
BTMOB clearnet site
... continue reading