Doha – Morocco’s General Directorate for Information Systems Security (DGSSI) has issued a critical alert regarding a sophisticated malware targeting Android smartphones. The malware, named “BTMOB RAT,” was first detected in February and primarily aims to steal sensitive information, including banking data.
According to the DGSSI alert released on Monday, this Remote Access Trojan (RAT) is distributed through phishing websites and malicious applications available on the Google Play Store.
What makes this threat particularly concerning is its exploitation of Android’s accessibility services to obtain legitimate permissions while bypassing the system’s security mechanisms.
The malware employs advanced techniques to maintain persistent access to compromised devices. Once installed, BTMOB RAT can access the user interface to collect sensitive information displayed on screen, such as login credentials, private messages, and banking details.
It also monitors the clipboard, capturing temporarily stored data like passwords and payment information.
“These services are designed to help users with specific needs, but when misused by malware, they allow security restrictions to be circumvented,” explains the Center for Monitoring, Detection and Response to Computer Attacks.
The malware operates stealthily in the background without alerting users and can evade detection by traditional antivirus solutions.
This warning lands amid growing concerns about digital financial security in Morocco. Last March, cybersecurity firm Cypherleak revealed that data from over 31,000 Moroccan bank cards appeared for sale on dark web marketplaces, with over 5,500 cards remaining active and vulnerable to fraud.
Read also: Morocco’s DGSSI Warns of Critical WhatsApp Windows Vulnerability
Security experts note that BTMOB RAT is being offered as “Malware-as-a-Service” (MaaS), allowing various cybercriminals to purchase or rent it for their malicious campaigns, significantly increasing its distribution and potential impact.
According to estimates from Kaspersky and Lookout Mobile Security, more than 500,000 installations of malware exploiting Android accessibility features were recorded in 2024.
This trend is particularly troubling as users often activate these services for practical reasons such as screen reading or voice navigation.
Kaspersky reported last April that Morocco ranks third among African countries facing web-based threats, with 12.6 million attack attempts documented in 2024, behind Kenya and South Africa.
The DGSSI recommends integrating the provided compromise indicators into detection systems and immediately alerting the Moroccan Computer Emergency Response Team (maCERT) if any activity related to this malware is identified.
Users are advised to exercise caution when downloading applications, verify permissions granted to apps, and regularly check for suspicious activities in Android settings.
This alert also comes amid a rising trend in mobile cyberattacks. In 2023, Zimperium reported a 51% increase in attacks targeting Android globally, with a preference for emerging countries with expanding digital infrastructures.

Join on WhatsApp
Join on Telegram







