- A new Android Malware called PlayPraetor has infected more than 11,000 devices, spreading rapidly in Europe, North Africa, and South America.
- The malware uses fake Google Play Store pages and abuses Android’s accessibility services for full device control.
- PlayPraetor can display fake login screens over nearly 200 banking and crypto apps to steal credentials.
- The operation includes several variants and is run by a network of affiliates, primarily targeting Portuguese, Spanish, and French speakers.
- Other recent Android banking threats include ToxicPanda and DoubleTrouble, which use similar methods for data theft and device takeover.
Cybersecurity researchers have identified a new Android remote access trojan named PlayPraetor. This malware has infected over 11,000 devices, primarily located in Portugal, Spain, France, Morocco, Peru, and Hong Kong. The infections have grown at a rate of more than 2,000 new devices per week, according to findings from Cleafy.
PlayPraetor differs from other Android malware by using accessibility services to take control of devices and place fake overlay screens on top of around 200 banking and cryptocurrency apps. This allows operators to collect users’ credentials and perform unauthorized actions directly on the affected devices. Cleafy researchers stated, “Its core functionality relies on abusing Android’s accessibility services to gain extensive, real-time control over a compromised device.” The malware is managed from a Chinese command-and-control panel and is distributed through links to fraudulent Google Play Store download pages. These links are sent by SMS and Meta Ads, tricking users into installing the malicious files.
The operation is considered a globally coordinated effort, with PlayPraetor appearing in five main variants. These include deceptive progressive web apps, phishing apps, and remote access tools that use accessibility features for persistence and control. According to earlier research from CTM360, large-scale campaigns use thousands of phony Play Store pages to harvest banking information and monitor device activity. Major affiliates control 60% of the botnet, focusing their campaigns on Portuguese-speaking regions.
Once installed, PlayPraetor connects to a remote server using encrypted web protocols. It uses a real-time messaging protocol to livestream device screens, indicating ongoing development and adaptation by its operators. Attacks have recently increased against Spanish- and Arabic-speaking users, showing a broader reach of the malware-as-a-service (MaaS) model. The remote control system lets operators interact with devices in real-time and create new fake download pages mimicking the Play Store.
The article also highlights the rise of other Android malware such as ToxicPanda and DoubleTrouble. ToxicPanda has compromised around 3,000 devices, using techniques like domain generation algorithms and fake Chrome updates for resilience. DoubleTrouble, disclosed by Zimperium, records device screens, logs keystrokes, and blocks access to certain apps, distributing itself through malicious websites and Discord channels.
The PlayPraetor operation is the latest in a series of financially motivated campaigns by Chinese-speaking threat actors, reflecting an ongoing trend of attacks focused on bank fraud and identity theft across Android users.
✅ Follow BITNEWSBOT on Telegram, Facebook, LinkedIn, X.com, and Google News for instant updates.
Previous Articles:
- Zuckerberg’s $14B AI Talent Blitz Shakes Up Silicon Valley Hiring
- Shaurya Leads CoinDesk Asia’s Crypto Data and DeFi Analysis Team
- Blockchain Touted as Key to Decentralized US Energy Grid Upgrade
- Tron’s Justin Sun Safely Returns From Blue Origin Spaceflight NS-34
- Solana ETF Approval Nears as Major Firms File Amended S-1 Forms
