A newly discovered Android remote access trojan (RAT) named PlayPraetor has compromised more than 11,000 devices globally, with infections primarily concentrated in Portugal, Spain, France, Morocco, Peru, and Hong Kong. According to cybersecurity firm Cleafy, the malware is growing rapidly—adding over 2,000 new infections per week—due to aggressive campaigns targeting Spanish and French-speaking users, suggesting a shift in regional focus.
PlayPraetor operates via a Chinese command-and-control (C2) panel and is distinguished by its abuse of Android’s accessibility services. This allows it to gain real-time remote control over devices and deploy fake login overlays targeting nearly 200 banking and cryptocurrency apps to steal sensitive user credentials.
Initially uncovered by CTM360 in March 2025, PlayPraetor is distributed through a network of fraudulent Google Play Store pages, accessed via deceptive Meta ads and SMS links. These lures trick users into downloading malicious APK files disguised as legitimate apps.
“The links to the impersonated Play Store pages are distributed through Meta Ads and SMS messages to effectively reach a wide audience,” noted CTM360.
The malware comes in five distinct variants, each tailored for different attack vectors:
PWAs: Progressive Web Apps used for fake web-based apps.
Phish: WebView-based phishing apps.
Phantom: Focused on persistent access and C2 communication using accessibility services.
Veil: Used for phishing via invite codes and fake product sales.
EagleSpy/SpyNote (RAT): Offers full remote access.
The Phantom variant is particularly dangerous, enabling on-device fraud (ODF) and controlled largely by two major affiliate groups, who command around 60% of the botnet, primarily targeting Portuguese-speaking users.
Once installed, PlayPraetor uses HTTP/HTTPS, WebSocket, and RTMP connections to communicate with its C2 server and even stream the device’s screen live to attackers. Researchers believe the malware is being actively developed, with new commands regularly added to improve data theft capabilities.
PlayPraetor is part of a growing trend of malware-as-a-service (MaaS) offerings operated by Chinese-speaking threat actors, following others like ToxicPanda and SuperCard X. Meanwhile, researchers also warn of DoubleTrouble, a new Android banking trojan that expands beyond overlay attacks to offer screen recording, app blocking, and advanced keylogging—further underlining the evolving threat landscape on mobile platforms.
 named PlayPraetor has compromised more than 11,000 devices globally, with...){kind=link}