PlayPraetor Android RAT has hit 11K+ devices, spreading fast via campaigns targeting Spanish and French speakers, say Cleafy researchers.
Cleafy researchers have identified a new Android RAT called PlayPraetor, which has infected over 11,000 devices, mainly in Portugal, Spain, France, Morocco, Peru, and Hong Kong. The malware is spreading rapidly, with more than 2,000 new infections weekly, targeting Spanish and French speakers in a notable shift in strategy.
The PlayPraetor Android RAT is managed via a Chinese-language C2 panel with a multi-tenant setup, enabling multiple affiliates to run campaigns. Most of the victims are in Europe, with 58% of infections in Portugal, Spain, and France, followed by Morocco, Peru, and Hong Kong. Two main operators dominate 60% of the botnet, focusing on Portuguese speakers, while smaller affiliates target Chinese, Spanish, and French users. The RAT abuses Android Accessibility Services for real-time control and targets nearly 200 banking apps and crypto wallets.
“By abusing Android’s Accessibility Services, the operators gain real-time control of the infected device.” reads the report published by Cleafy. “An investigation of the overlay attack payloads revealed an extensive list of global targets, including nearly 200 banking apps and cryptocurrency wallets.”
The experts found new commands, a circumstance that suggests it’s under active development.
The malware uses a resilient multi-protocol C2 setup: heartbeat checks via HTTP/S, real-time commands via WebSocket (port 8282), and screen streaming via RTMP (port 1935).
PlayPraetor has been misclassified as SpyNote in threat databases due to overlaps in infrastructure with other malware families used in concurrent campaigns.
PlayPraetor is a global Android malware campaign that began as a localized threat impersonating banking apps and expanded using over 16,000 fake Google Play Store URLs. The attackers trick users into downloading malicious apps or revealing sensitive data. The campaign includes five variants, Phish, RAT, PWA, Phantom (aka PlayPraetor), and Veil. Each variant had a unique attack methods. Cleafy began analyzing the Phantom variant in April 2025, confirming fake Play Store pages as the primary distribution method.
“While technically PlayPraetor does not deviate from other modern Android banking trojans, implementing well-established techniques for On-Device Fraud through the abuse of Android’s Accessibility Services, its innovation lies in its operational model.” continues the report.
By May, activity surged in Southern Europe and LATAM, marking PlayPraetor’s evolution into a major global cyber threat.
The analysis of the PlayPraetor C2 panel, which is a Chinese-language, revealed it is a multi-tenant control hub for managing infected devices and running phishing campaigns.
It enables affiliates to operate independently while using shared infrastructure. Key features include real-time device control, app launching, data exfiltration, and impersonation tools. The panel also lets operators create fake Google Play-like pages to deliver malware.
Its modular, customizable design allows quick deployment of phishing pages using pre-registered domains, indicating a well-organized, professional threat operation.
“PlayPraetor represents another significant entry from Chinese-speaking threat actors into the global financial fraud landscape. This trend, exemplified by recent campaigns such as ToxicPanda and Supercard X, demonstrates an increasing interest from TAs in this region in developing and deploying sophisticated attack vectors against financial institutions worldwide.” concludes the report. “While technically PlayPraetor does not deviate from other modern Android banking trojans, implementing well-established techniques for On-Device Fraud through the abuse of Android’s Accessibility Services, its innovation lies in its operational model.”
Follow me on Twitter: @securityaffairs and Facebook and Mastodon
(SecurityAffairs – hacking, Android)
