Security researchers at Cleafy have uncovered a rapidly spreading Android remote access trojan (RAT) named PlayPraetor, which has infected over 11,000 devices across countries including Portugal, Spain, France, Morocco, Peru, and Hong Kong. The malware is gaining traction particularly among Spanish and French-speaking users, with more than 2,000 new infections reported each week.
PlayPraetor is controlled through a Chinese-language command-and-control (C2) panel featuring a multi-tenant system that allows several threat actors to run their own campaigns. The majority of infections about 58% are concentrated in Portugal, Spain, and France. Two main operators are responsible for over 60% of the botnet, primarily targeting Portuguese speakers, while others focus on users who speak Chinese, Spanish, or French.
The malware exploits Android’s Accessibility Services to gain real-time access to infected devices. It is capable of targeting around 200 banking apps and cryptocurrency wallets, making it a potent tool for financial fraud. Cleafy researchers have noted ongoing development activity, with new commands added to the malware’s capabilities.
PlayPraetor uses a robust C2 infrastructure that includes heartbeat signals via HTTP/S, real-time communication through WebSocket (port 8282), and screen sharing over RTMP (port 1935). Although it shares some characteristics with other malware like SpyNote, its infrastructure and distribution methods are distinct enough to classify it as a separate threat.
Initially, PlayPraetor impersonated banking apps to trick users into downloading malicious software. It has since evolved, using over 16,000 fake Google Play Store URLs. The campaign includes five variants Phish, RAT, PWA, Phantom (aka PlayPraetor), and Veil, each with unique attack methods. Cleafy began monitoring the Phantom variant in April 2025, identifying fake Play Store pages as the primary vector.
By May, infections had surged in Southern Europe and Latin America, signaling the malware’s transformation into a global threat. The C2 panel, which supports phishing and device control, enables threat actors to create fake Play Store pages using a modular, customizable framework with pre-registered domains, highlighting the operation’s level of sophistication.
Cleafy concludes that PlayPraetor is a notable example of Chinese-speaking threat actors making a significant impact on global financial fraud, reflecting a growing focus on complex, large-scale cybercrime operations.
Found this article interesting? Follow us on X(Twitter) ,Threads and FaceBook to read more exclusive content we post.
