PlayPraetor: New Android RAT Infects 11,000+ Devices with Real-Time On-Device Fraud

A new large-scale threat has emerged on the Android horizon, dubbed PlayPraetor—a sophisticated piece of malware capable of seizing full control over compromised devices. To date, over 11,000 devices have fallen under its sway, with the number increasing by approximately 2,000 each week. The primary targets are users in Spain, France, Portugal, Morocco, Peru, and Hong Kong, with a distinct focus on Spanish- and French-speaking victims, suggesting a strategic pivot by the operators.

What sets PlayPraetor apart is that it is not merely a remote access trojan; it embeds itself within the Android interface via Accessibility Services, granting it real-time control over the device. It intercepts user interactions and overlays counterfeit login forms atop nearly 200 legitimate banking and cryptocurrency applications—enabling stealthy account takeovers with minimal risk of detection.

The first detailed analysis of PlayPraetor surfaced in March 2025, courtesy of CTM360’s research. It revealed that the campaign leveraged an extensive network of fraudulent Google Play landing pages, directing victims to malicious APK files. These pages are promoted through Meta ads and mass SMS campaigns, creating a self-perpetuating loop: the victim clicks the link, downloads the app, and unwittingly becomes part of a botnet.

The operation is orchestrated through a Chinese C2 infrastructure and encompasses five distinct malware variants. Some masquerade as Progressive Web Apps (PWAs) or employ WebView to carry out phishing. Others offer fake products, bogus “invite codes,” or deliver full device control to the attackers via tools such as EagleSpy and SpyNote.

Of particular interest is the Phantom variant, tailored for on-device fraud and responsible for nearly 60% of the botnet’s activity, with a focus on Portuguese-speaking regions. Infected devices are manipulated in real time via a bidirectional WebSocket channel, while RTMP connections are used to livestream victims’ screens, granting attackers full visual oversight.

Upon installation, the malware establishes communication with its command server over HTTP/HTTPS, receiving directives that allow it to manage applications, monitor clipboard contents, log keystrokes, and deploy deceptive UI overlays. This highlights an ongoing evolution in its capabilities and a deliberate expansion of its data-theft arsenal.

The malware’s backend infrastructure empowers operators not only to coordinate infected devices but also to craft bespoke fraudulent Google Play pages—customized by language, device type, and attack scenario. This adaptability reflects a robust, mature Malware-as-a-Service (MaaS) model, enabling multiple affiliated threat groups to execute highly targeted campaigns.

PlayPraetor is not alone. It belongs to a broader ecosystem of financially motivated malware attributed to Chinese-speaking developers, which also includes recent threats such as ToxicPanda and SuperCard X.

Together, these developments underscore a troubling trend: the Android ecosystem has become a battleground for increasingly sophisticated attacks—fusing classic phishing techniques, remote access tools, visual hijacking, and interface manipulation. The objective remains unchanged: to deceive, infiltrate, and exfiltrate sensitive banking data while evading the device’s built-in defenses.