New BTMOB Android Malware Enables Full Device Takeover — How to Identify & Stay Safe

INDIA — By BharatSecure Threat Intelligence Team · Updated May 28, 2026

Severity: CRITICAL | View Full Scam Details

Beware in 2026: New BTMOB Android Malware Scam Threatens Full Device Takeover in India

A new wave of phishing attacks using BTMOB Android malware is putting millions of Indian smartphone users at risk by enabling fraudsters to take complete control of their devices.

What Is the New BTMOB Android Malware Enables Full Device Takeover?

The BTMOB Android malware is a critical new threat targeting Indian users through phishing tactics, designed to hijack their smartphones fully. This malware is distributed primarily via malicious links shared over popular platforms like WhatsApp and SMS, exploiting the high trust level that Indian users place in communications received through these informal channels. Given India’s increasing dependence on mobile-based services—such as UPI for digital payments, Aadhaar-linked authentication, and mobile banking apps—this malware poses a grave risk to financial and personal data security.

This scam is reportedly spreading rapidly in urban and semi-urban areas, where device usage and digital transactions are high. The malware camouflages itself as a legitimate app from reputed banks or service providers, making it more likely for victims to install it unknowingly. According to reports in public complaints and advisories from CERT-In (India’s Computer Emergency Response Team) and I4C (Indian Cyber Crime Coordination Centre), the malware can fully control Android devices, enabling scammers to approve transactions, steal passwords, access messages, and even intercept two-factor authentication OTPs sent via SMS or apps.

While RBI has not yet issued a scam-specific advisory on BTMOB, it continues to emphasize vigilance against phishing attacks that target UPI users and mobile banking customers. CERT-In reminds all internet users to avoid downloading apps from unofficial sources and to be wary of unsolicited messages with links.

How This Scam Works — Step by Step

1. Initial Contact via SMS or WhatsApp: The victim receives a message or a forwarded link through WhatsApp or SMS. The message often claims to be an important alert from a bank or a popular online service, urging the user to “download an updated app” or “verify their account” by clicking the link.

2. Landing on a Fake Website: Upon clicking the link, the user is redirected to a website that looks identical to a genuine service provider’s or bank’s official page. This site prompts the victim to download an app that supposedly helps with account security or improves their service experience.

3. Malicious App Installation: The app is a disguised version of the BTMOB malware. Once installed, it requests a range of permissions, including access to SMS, contacts, accessibility services, device administration, and overlay rights. The malware gains these permissions through social engineering by convincing users they are necessary for the app’s proper functioning.

4. Complete Device Control: With these permissions, scammers can remotely control the victim’s smartphone. They can read and send SMS messages, steal saved passwords, simulate screen taps, read notifications (including OTPs from UPI or banking apps), and even lock the user out of their device.

5. Financial Theft and Data Breach: The attackers use this control to authorize fraudulent UPI transactions, drain wallet balances, or misuse Aadhaar-linked services. Victims may lose thousands of rupees before realizing their phone is compromised.

6. Covering Tracks: The malware can hide its icon and erase traces of fraudulent transactions, making recovery and investigation difficult.

Real Warning Signs to Watch For

• Unexpected messages urging you to click a link for urgent account updates or payment verifications.
• Links that lead to unofficial or suspicious-looking websites, even if they resemble real service pages.
• Requests to install apps outside of the Google Play Store or official app stores.
• Apps asking for excessive permissions like SMS access, device admin rights, or accessibility features that don’t align with their stated function.
• Sudden lockouts or unusual behavior on your phone after installing an app.
• Receiving OTPs for transactions you did not initiate.
• Unexplained debits or failed transaction reversals from your UPI or bank accounts.

What Happens to Victims

Victims often suffer immediate financial loss due to unauthorized UPI payments or wallet deductions. Since many transactions use two-factor authentication linked to SMS or app notifications, the malware’s real-time access enables scammers to circumvent security hurdles uniquely critical in India’s digital ecosystem.

Beyond money, victims can face emotional distress, loss of private data such as Aadhaar-related information, and the hassle of restoring device control after a SIM swap or device hijack attack. Victims might struggle to reverse fraudulent transactions due to limited UPI reversal windows and complications in establishing fraud proof with banks.

What RBI and CERT-In Say

CERT-In has consistently warned about malware risks from unofficial app downloads and urged users to verify links before clicking. They also stress the importance of keeping devices updated and use official app stores only.

The RBI provides guidelines advising users to never share OTPs or banking credentials and promptly report suspicious transactions to their banks’ fraud helplines. It also recommends using biometric or PIN protections on UPI apps to reduce risk.

If a user suspects malware infection or fraud, the Indian government’s cybercrime helpline 1930 is available for support, along with the dedicated portal cybercrime.gov.in for filing cybercrime complaints.

How to Protect Yourself

1. Avoid Clicking Links in Unexpected Messages: Especially those asking to download apps or verify accounts urgently.
2. Verify Website URLs Carefully: Look for correct spellings and official domains before downloading or entering information.
3. Always Use Google Play Store or Official App Stores: Never sideload APK files from unknown sources.
4. Limit App Permissions: Only grant necessary permissions. Be cautious of apps asking for SMS, accessibility, or device admin access.
5. Keep Your Phone and Apps Updated: Security patches help close vulnerabilities exploited by malware.
6. Enable Two-Factor Authentication with Biometric/PIN: For UPI and banking apps wherever possible.
7. Use Antivirus or Security Apps from Trusted Vendors: To scan for malware regularly.

What to Do If You’ve Been Targeted

1. Disconnect Your Device from Internet: Turn off Wi-Fi and mobile data immediately.
2. Uninstall Suspicious Apps: Remove recently installed or unknown apps with unusual permissions.
3. Change Passwords and UPI PINs: Do this from a secure device, not the compromised phone.
4. Contact Your Bank or Payment Service Provider: Report unauthorized transactions right away.
5. File a Complaint: Use cybercrime.gov.in portal or call the 1930 cybercrime helpline.
6. Inform Your Mobile Service Provider: To prevent SIM swap or request a SIM block if needed.
7. Reset Your Device to Factory Settings: If advised by security professionals, after backing up important data.

Frequently Asked Questions

Q: How can I identify if the BTMOB malware is on my phone?
A: Look for signs like unexpected app installations, phone lags, unauthorized SMS sent from your device, or strange behavior such as receiving OTPs for transactions you didn’t initiate.

Q: Can my UPI transactions be reversed if done through this malware?
A: RBI guidelines allow reversal only if reported promptly, but delays, lack of evidence of fraud, or consent given under malware control can complicate this. Immediate reporting increases chances of recovery.

Q: Is WhatsApp a safe platform for banking-related links?
A: WhatsApp itself is secure, but scammers exploit trust within chats to send phishing links. Always verify links outside the app and avoid installing apps promoted in unsolicited messages.

If you receive suspicious messages or links, verify them immediately at BharatSecure.app. You can also report suspicious activity to the 1930 cybercrime helpline to help prevent fraud.

Disclaimer: This article describes a pattern of fraud reported in public sources for public-safety awareness. It is not legal, financial, or medical advice. To request correction or removal of any content, write to hello@bharatsecure.app.