A new remote access trojan (RAT) for Android, known as PlayPraetor, has managed to infect over 11,000 devices across several countries, with the highest presence in Portugal, Spain, France, Morocco, Peru, and Hong Kong.
The most alarming aspect is its rate of spread: over 2,000 new infections are reported each week. The attacks clearly target Spanish- and French-speaking users, suggesting a shift in cybercriminal strategies toward more aggressive campaigns in specific regions.
This trojan not only remotely controls the phone by abusing accessibility permissions but can also overlay fake login screens on top of more than 200 banking and crypto wallet apps. The goal? To steal credentials and take over victims’ accounts.
PlayPraetor: New Android Trojan Grows Into a Global Botnet Targeting Users in Europe and LATAM
This malware is becoming a global threat, thanks to an advanced control structure and a well-organized distribution campaign. This remote access trojan (RAT) operates through a Chinese-language C2 (command and control) panel designed for multi-user access, allowing several affiliates to run campaigns simultaneously.
This “platform-as-a-service” model has enabled rapid malware expansion, especially in Europe and Latin America. Recent data shows that 58% of infections are concentrated in Portugal, Spain, and France, followed by Morocco, Peru, and Hong Kong.
It was also found that two main operators control 60% of the entire botnet, with a strong focus on Portuguese-speaking users, while smaller affiliates target Spanish-, French-, and Chinese-speaking victims.
How Does PlayPraetor Work? Full Device Access Without You Noticing
PlayPraetor’s success is largely due to its ability to exploit Android’s accessibility services, allowing it to take full control of the device in real time. This lets attackers view the user’s screen, simulate clicks, steal passwords, and access sensitive information—without the victim ever realizing it.
One of the most concerning aspects is that the malware specifically targets banking apps and cryptocurrency wallets. Nearly 200 financial applications have been identified on its target list, showing a clear focus on stealing money and financial data.
Researchers also found that the malware is under active development, with new commands constantly being added—indicating that attackers are continuously refining its capabilities to maintain the campaign’s effectiveness.
Advanced C2 Technology: Hard to Detect and Block
PlayPraetor uses a multi-protocol C2 infrastructure designed to be resilient and difficult to track. Key features include:
-
Heartbeat checks via HTTP/HTTPS to keep the infected device connected.
-
Real-time commands over WebSocket (port 8282), enabling instant actions from the control panel.
-
Live screen streaming via RTMP (port 1935), allowing attackers to watch the device activity in real time.
This combination makes the botnet harder to detect and eliminate, as it uses secure channels and diverse protocols to communicate.
Read more: Fake Cryptocurrency Apps on Facebook: How They Steal Your Data
Confusion with Other Threats and Massive Distribution via Fake URLs
In threat databases, PlayPraetor was mistakenly classified as part of the SpyNote malware due to similarities in their infrastructure. However, its functionality, targets, and distribution model reveal a broader and more complex campaign.
Originally, PlayPraetor began as a localized banking impersonation campaign but has since evolved into a global operation. So far, attackers have used over 16,000 fake URLs mimicking the Google Play Store to trick users into downloading infected apps or handing over personal data.
The malware is distributed in different variants within a broader campaign, including names like Phish, RAT, PWA, Phantom (PlayPraetor), and Veil—each employing its own attack method. The Phantom variant, also known as PlayPraetor, has been extensively analyzed since April 2025, and fake Google Play pages have been confirmed as the primary distribution channel.
While PlayPraetor doesn't introduce entirely new techniques to the world of Android banking malware, its innovation lies in how it structures its operation. Instead of being run by a single actor, it functions more like a shared platform that multiple attackers can use to carry out large-scale campaigns.
In May, activity from this campaign surged in Southern Europe and Latin America, marking an aggressive expansion of its reach and establishing PlayPraetor as one of the most significant mobile threats today.
The malware’s control panel, entirely in Chinese, serves as a multi-user operations center from which infected devices are managed and phishing campaigns are launched in real time.
Read more: Raven Stealer: New Malware Spreads via Telegram and Affects Windows
PlayPraetor: A Shared, Fast, and Highly Organized Malware Platform
What makes the PlayPraetor campaign especially dangerous isn’t just its technical capabilities, but its operational model, which allows multiple affiliates to work independently while sharing the same attack infrastructure.
Each operator can take real-time control of Android devices, remotely launch apps, steal personal data, and deploy tools for identity theft. All of this is managed through a centralized panel that also enables them to create fake pages closely resembling the Google Play Store, tricking users into downloading malware.
One of the operation’s key strengths is its modular and customizable design, which facilitates the rapid deployment of phishing campaigns using pre-registered domains. This not only accelerates distribution but also shows that this is a well-organized, professional-level operation.
Conclusion: A Threat Reflecting the Evolution of Cybercrime in Asia
PlayPraetor is a clear example of how Chinese-speaking threat actors are gaining ground in the world of digital financial fraud. This approach isn’t entirely new—recent campaigns like ToxicPanda and Supercard X had already shown similar signs. But with PlayPraetor, a growing trend is confirmed: the development of increasingly sophisticated attack vectors aimed at users and financial institutions worldwide.
While PlayPraetor doesn’t technically introduce never-before-seen methods (like many modern trojans, it abuses Android’s accessibility services to commit fraud directly from the device), its true innovation lies in how it operates. Instead of being controlled by a single group, it acts as a collaborative malware platform, with multiple affiliates launching campaigns in parallel under a shared system.
How to Protect Yourself from Threats Like PlayPraetor
-
Only download apps from the Google Play Store and avoid suspicious links.
-
Don’t grant accessibility permissions unless an app clearly requires them.
-
Keep your Android device updated and use a reliable antivirus solution.
-
Regularly review installed apps and remove any unfamiliar software.
-
Avoid fake Google Play Store websites, especially those linked from messages or social media.
Want to stay updated on the latest Android threats and how to protect yourself? Subscribe to our TecnetBlog and stay informed.