Security researchers said Grandoreiro banking malware and the BTMOB Android trojan are being used in separate campaigns targeting users and companies in Spain, Portugal, Mexico and Brazil, with Grandoreiro focused on Windows and BTMOB aimed at Android devices.
KEY FACTS
- Grandoreiro uses phishing emails and DLL side-loading to reach victims, with some files built to reference banks in Portugal.
- Targets include financial institutions and services such as Abanca, Banco de Portugal, BBVA PT, Caixa Geral Depositos, Santander, Revolut and Wise.
- BTMOB is an Android remote access trojan sold as malware-as-a-service with an APK builder and monthly and lifetime pricing.
- Distribution relies on phishing sites and fake app listings that push users to install malicious APK files.
A technical analysis from WatchGuard said Grandoreiro has been active since 2016 and continues to evolve despite disruption efforts. The report said the malware uses CAPTCHA checks, DLL side-loading and WebRTC-related components to make detection more difficult.
WatchGuard also said one campaign used phishing emails to deliver a ZIP file from Mediafire that contained an obfuscated Visual Basic Script. The script launched an executable that told users to update Adobe Reader before running checks designed to evade analysis and then drop the final payload.
The report said some of the campaign files used STUN or ICE protocols for peer-to-peer communication and blended in with web conferencing traffic. Researchers said that can make malicious traffic harder to monitor because it resembles ordinary online meeting data.
ESET said BTMOB first appeared in February 2025 and can unlock devices, capture screenshots, log keystrokes and steal credentials through HTML injections when certain apps open. The disclosure said the malware can also abuse Android accessibility services to gain more control without user interaction.
The disclosure said BTMOB is sold with an APK builder and marketed by an actor using the name EVLF for $700 a month, with a lifetime license listed at $1,200 and full server source code at $7,000. ESET said leaked versions are already circulating, which may lower the barrier for other criminals to use the tool.
WHY IT MATTERS
The campaigns show how banking malware is shifting toward regional targeting, service-based sales and abuse of legitimate online services. That combination can make phishing, fake app stores and network detection harder to stop with basic defenses alone.