Security researchers at WatchGuard and ESET have identified two simultaneous banking malware campaigns hitting users in Spain, Portugal, Mexico, and Brazil. One campaign delivers the long-running Grandoreiro banking trojan to Windows computers, while a second distributes a newer Android threat called BTMOB RAT — both designed to steal online banking credentials and drain accounts.
Grandoreiro arrives via phishing emails and hijacks legitimate Windows software through a technique called DLL side-loading, making it appear to come from trusted applications. BTMOB RAT, which first appeared in early 2025, is sold as a subscription service on criminal forums and leaked Telegram channels — meaning almost anyone can buy and deploy it. Once installed, BTMOB can unlock a phone remotely, record the screen, log keystrokes, and silently inject fake login screens over your real banking app to capture your username and password.
How to check if you’re affected
Affected devices are Android phones and Windows PCs used for online banking, particularly at banks in Spain, Portugal, Mexico, and Brazil — though the malware can target any institution once installed. Affected versions of your banking app are any that allow overlay permissions; check your Android settings under Apps → Special app access → Display over other apps and revoke that permission for any app that isn’t your keyboard or password manager. On Windows, run a full antivirus scan if you’ve recently opened an unexpected email attachment or clicked a link claiming to be from your bank.