Cybersecurity researchers have uncovered a rapidly spreading Android remote access trojan (RAT) called PlayPraetor, which has already compromised more than 11,000 devices. The malware is growing at an alarming rate of over 2,000 new infections per week, with a primary focus on victims in Portugal, Spain, France, Morocco, Peru, and Hong Kong. According to research from Cleafy, the operation, managed by a Chinese command-and-control (C2) panel, is aggressively expanding its reach, with recent campaigns strategically targeting Spanish and French speakers.
PlayPraetor’s primary attack vector involves abusing Android’s accessibility services to achieve almost total remote control over an infected device.
This allows attackers to serve fake overlay login screens on top of legitimate applications, targeting nearly 200 different banking apps and cryptocurrency wallets to harvest user credentials. As first documented by CTM360 in March 2025, the trojan is distributed through a large-scale campaign using thousands of fraudulent Google Play Store download pages. These deceptive links are pushed to potential victims through Meta Ads and SMS messages, tricking them into downloading the malicious APK.
The malware operation is a sophisticated, globally coordinated effort that utilizes five distinct variants to carry out its objectives. These variants include deceptive Progressive Web Apps (PWAs), WebView-based phishing apps, and the “Phantom” variant, which exploits accessibility services for persistent C2 communication and on-device fraud (ODF). Other variants facilitate phishing through invite codes, trick users into buying fake products, or grant full remote control using established spyware like EagleSpy and SpyNote. The Phantom variant is particularly notable, with two main affiliate operators controlling about 60% of the botnet and focusing heavily on Portuguese-speaking targets.
Once installed on a device, PlayPraetor establishes a connection with its C2 server using HTTP/HTTPS and employs a WebSocket connection for bidirectional commands, allowing operators to issue instructions in real-time. Uniquely, it also initiates a Real-Time Messaging Protocol (RTMP) connection to livestream the device’s screen back to the attacker.
This capability enables the operator to directly observe user activity and perform fraudulent actions on the victim’s device, such as executing unauthorized transactions from banking apps.
The threat posed by PlayPraetor is continuously evolving, with its operators actively developing new commands and expanding its capabilities. The recent shift to target Spanish- and Arabic-speaking users suggests the trojan is being offered as a malware-as-a-service (MaaS) package, broadening its affiliate base. The sophisticated C2 panel not only allows for real-time interaction with compromised devices but also enables operators to create bespoke malware delivery pages that convincingly mimic the official Google Play Store, underscoring the significant and growing danger of this multifaceted threat.
Reference:
