A newly discovered Android Remote Access Trojan (RAT) named PlayPraetor has compromised over 11,000 devices worldwide, cybersecurity researchers have warned. The malware campaign is rapidly expanding, with over 2,000 new infections per week, primarily targeting users in Portugal, Spain, France, Morocco, Peru, and Hong Kong.
Massive social engineering operation leverages Meta Ads and SMS phishing
The malware operators deploy fake Google Play Store download pages, distibuted through Meta Ads and phishing SMS messages, to lure victims. Clicking the deceptive links redirects users to fraudulent APK downloads, infecting their Android devices with one of five PlayPraetor variants.
According to Cleafy researchers, the campaign now shows a strategic focus on Spanish, French, and Arabic-speaking users—moving away from its earlier attack demographics. The malicious APKs mimic legitimate applications and gain deep control of the device through abuse of Android accessibility services.
Full remote access and on-device fraud through advanced RAT features
PlayPraetor’s Phantom variant is capable of on-device fraud (ODF) and gives attackers full real-time control over infected phones. The malware enables:
- Remote video streaming of the device screen via RTMP
- Clipboard monitoring and keylogging
- Fake overlay screens for banking and crypto apps
- Command execution and system manipulation
- Custom malware delivery pages mimicking Google Play
- Researchers say two primary affiliate operators control nearly 60% of infections, with over 4,500 compromised devices under their control. These operators heavily target Portuguese-speaking regions.
Evolving Malware-as-a-Service (MaaS) model supports affiliates
PlayPraetor is offered as part of a multi-affiliate MaaS platform, allowing threat actors to build targeted campaigns using its infrastructure. Its Chinese-hosted C2 panel allows live interaction with infected devices, data exfiltration, and malware deployment customization.
The malware is also actively evolving. It now includes WebSocket-based bidirectional communication, real-time updates, and Progressive Web Apps (PWAs) to maintain stealth and persistence.
Algoritha Security Launches ‘Make in India’ Cyber Lab for Educational Institutions
Linked threats: ToxicPanda and DoubleTrouble also surge
The rise of PlayPraetor follows other recent Android malware threats:
- ToxicPanda – Compromised over 3,000 devices in Portugal and Spain. Uses fake Chrome update pages and traffic distribution systems (TDS) like TAG-1241 to redirect selected victims.
- DoubleTrouble – A powerful banking trojan that logs keystrokes, blocks apps, and records screens. Distributed via Discord-hosted malicious APKs and bogus download pages.
The PlayPraetor campaign exemplifies the growing sophistication of Android malware, especially in regions with high mobile banking adoption. Its abuse of accessibility services and rapid expansion highlight the urgent need for stronger user awareness, endpoint protection, and vetting of mobile app downloads.
About the author – Ayush Chaurasia is a postgraduate student passionate about cybersecurity, threat hunting, and global affairs. He explores the intersection of technology, psychology, national security, and geopolitics through insightful writing.