- 841
- 224
Cleafy specialists have discovered a new Android Trojan, PlayPraetor. According to their data, it has already infected more than 11,000 devices, and more than 2,000 new infections are recorded every week.
Currently, the malware attacks users in Portugal, Spain, France, Morocco, Peru, and Hong Kong, but researchers write about active campaigns targeting Spanish-speaking and French-speaking audiences. That is, now the malware operators are trying to change their focus from the previous categories of victims.
In addition, in recent weeks, the malware has been increasingly distributed among Spanish-speaking and Arabic-speaking users, so it is assumed that PlayPraetor now operates according to the MaaS (Malware-as-a-service) scheme.
Experts write that PlayPraetor communicates with a command and control server located in China and is not much different from other Android Trojans: it abuses Accessibility services to gain remote control over the device, and is also capable of placing phishing overlays on top of almost 200 banking apps and crypto wallets to steal credentials.
PlayPraetor was first discovered by CTM360 in March 2025. At that time, researchers noted that the attackers were using thousands of fake pages disguised as the Google Play Store to distribute the malware. This scheme allows the malware operators to steal banking credentials, monitor the clipboard contents, and intercept keystrokes.
[td]“Links to fake Google Play Store pages are distributed through social media ads and SMS messages, helping attackers reach a wider audience,” the researchers explained. “The fake ads and messages trick users into clicking on links that lead to sites with malicious APK files.”[/td]
Experts write that PlayPraetor exists in five variants:
According to Cleafy, the Phantom variant is an on-device fraud (ODF) malware. It is operated by two key affiliated hacker groups that control approximately 60% of the botnet (around 4,500 infected devices) and their activity is concentrated mainly in Portuguese-speaking countries.
[td]“The core functionality is based on the abuse of Android’s Accessibility services, giving operators extensive and near-instantaneous control over the infected device,” Cleafy notes. “This allows fraudulent activity to be carried out directly from the victim’s device.”[/td]
Once installed, the malware contacts the command and control server via HTTP/HTTPS and establishes a WebSocket connection for two-way command transmission. It also starts an RTMP (Real-Time Messaging Protocol) session, through which attackers can view a live broadcast of everything that happens on the screen of the infected device.
The list of supported Trojan commands is constantly expanding, indicating that the malware is being actively developed.
[td]“The success of this campaign is based on a well-established operational structure and a malware-as-a-service model involving multiple affiliates,” Cleafy researchers note. “This structure allows for large-scale and targeted campaigns.”[/td]
Currently, the malware attacks users in Portugal, Spain, France, Morocco, Peru, and Hong Kong, but researchers write about active campaigns targeting Spanish-speaking and French-speaking audiences. That is, now the malware operators are trying to change their focus from the previous categories of victims.
In addition, in recent weeks, the malware has been increasingly distributed among Spanish-speaking and Arabic-speaking users, so it is assumed that PlayPraetor now operates according to the MaaS (Malware-as-a-service) scheme.
Experts write that PlayPraetor communicates with a command and control server located in China and is not much different from other Android Trojans: it abuses Accessibility services to gain remote control over the device, and is also capable of placing phishing overlays on top of almost 200 banking apps and crypto wallets to steal credentials.
PlayPraetor was first discovered by CTM360 in March 2025. At that time, researchers noted that the attackers were using thousands of fake pages disguised as the Google Play Store to distribute the malware. This scheme allows the malware operators to steal banking credentials, monitor the clipboard contents, and intercept keystrokes.
[td]“Links to fake Google Play Store pages are distributed through social media ads and SMS messages, helping attackers reach a wider audience,” the researchers explained. “The fake ads and messages trick users into clicking on links that lead to sites with malicious APK files.”[/td]
Experts write that PlayPraetor exists in five variants:
- PWA - installs fake Progressive Web Apps;
- Phish - based on WebView applications;
- Phantom - uses Accessibility services to continuously monitor the device and communicate with the control server;
- Veil — supports phishing via invite codes and offers fake products;
- EagleSpy/SpyNote are RAT variants with full remote access.
According to Cleafy, the Phantom variant is an on-device fraud (ODF) malware. It is operated by two key affiliated hacker groups that control approximately 60% of the botnet (around 4,500 infected devices) and their activity is concentrated mainly in Portuguese-speaking countries.
[td]“The core functionality is based on the abuse of Android’s Accessibility services, giving operators extensive and near-instantaneous control over the infected device,” Cleafy notes. “This allows fraudulent activity to be carried out directly from the victim’s device.”[/td]
Once installed, the malware contacts the command and control server via HTTP/HTTPS and establishes a WebSocket connection for two-way command transmission. It also starts an RTMP (Real-Time Messaging Protocol) session, through which attackers can view a live broadcast of everything that happens on the screen of the infected device.
The list of supported Trojan commands is constantly expanding, indicating that the malware is being actively developed.
[td]“The success of this campaign is based on a well-established operational structure and a malware-as-a-service model involving multiple affiliates,” Cleafy researchers note. “This structure allows for large-scale and targeted campaigns.”[/td]