The PlayPraetor Android Trojan has infected over 11,000 devices by using counterfeit Google Play pages and advertisements on Meta.

Cybersecurity researchers have identified a new Android remote access trojan (RAT) named PlayPraetor, which has already infected over 11,000 devices, predominantly in Portugal, Spain, France, Morocco, Peru, and Hong Kong. The botnet’s rapid expansion, now exceeding 2,000 new infections weekly, is attributed to aggressive campaigns targeting Spanish and French speakers, marking a strategic shift from its previous victim demographics. Cleafy researchers Simone Mattia, Alessandro Strino, and Federico Valentini highlighted that PlayPraetor, controlled by a Chinese command-and-control (C2) panel, distinguishes itself from other Android trojans by exploiting accessibility services to gain remote control. It can also present fake overlay login screens for nearly 200 banking applications and cryptocurrency wallets, aiming to hijack user accounts.

First documented by CTM360 in March 2025, PlayPraetor employs thousands of fraudulent Google Play Store download pages to execute a large-scale scam campaign that harvests banking credentials, monitors clipboard activity, and logs keystrokes. The deceptive links to these impersonated Play Store pages are disseminated through Meta Ads and SMS messages, effectively reaching a broad audience. This coordinated operation features five distinct variants, including those that install deceptive Progressive Web Apps (PWAs) and exploit accessibility services for persistent control. The Phantom variant, which is capable of on-device fraud, is primarily managed by two affiliate operators controlling approximately 60% of the botnet, focusing on Portuguese-speaking targets. Once installed, the malware communicates with the C2 server via HTTP/HTTPS and establishes a WebSocket connection for command execution, while also enabling a Real-Time Messaging Protocol (RTMP) connection for live streaming the infected device’s screen. The ongoing development of PlayPraetor’s capabilities suggests that its operators are actively enhancing its functionality for comprehensive data theft.