ESET's disclosure of BTMOB reveals a RAT that weaponizes Android Accessibility Services to achieve persistent, interaction-free control, moving well beyond credential theft into screenshot capture, activity recording, and remote command execution. Unlike earlier banking trojans that required user-triggered overlays, BTMOB maintains elevated privileges across reboots, a capability that mirrors the persistence tactics seen in state-linked campaigns such as those attributed to Iranian actors using similar accessibility abuse in 2023-2024. The malware's distribution model—bundled APK builders sold via Telegram with country-specific lures—accelerates adaptation, allowing operators to pivot from crypto-mining themes in Latin America to enterprise VPN or government service phishing elsewhere without code changes. This modular kit approach, priced at a $5,000 lifetime license plus support, lowers the barrier for mid-tier actors and echoes the commoditization pattern documented in the 2025 Mandiant report on Android RAT marketplaces. Coverage in SecurityWeek correctly flags the Latin American concentration but underplays the infrastructure stability across variants, which suggests a single development group maintaining core C2 domains while rapidly iterating payloads; this pattern aligns with observations in the broader ESET telemetry shared in their 2025 Mobile Threat Report. The free dark-web dump in January 2026 further risks wider proliferation, potentially enabling low-sophistication groups to target diaspora communities or critical-sector employees whose personal devices bridge corporate networks. Cross-referencing with similar tools like Mirax RAT shows BTMOB's broader data exfiltration scope positions it as a surveillance enabler rather than a narrow financial fraud instrument, raising stakes for users in regulated industries.