Android Trojan ‘PlayPraetor’ Infects Over 11,000 Devices

A newly discovered Android Trojan named PlayPraetor has infected more than 11,000 devices, according to security experts at Cleafy. The malware continues to spread rapidly, with an estimated 2,000 new infections reported each week.

At present, the Trojan is targeting users in Portugal, Spain, France, Morocco, Peru, and Hong Kong, with active campaigns heavily focused on Spanish and French-speaking regions. This shift in targeting suggests that PlayPraetor’s operators are expanding beyond their initial victim profiles and adapting their approach to new linguistic demographics.

Notably, recent spikes in infections among Spanish and Arabic-speaking users further support the theory that PlayPraetor has transitioned into a Malware-as-a-Service (MaaS) model—where threat actors license the malware to affiliates in exchange for a share of profits or fees.

Technical Capabilities and Behavior

PlayPraetor communicates with a command-and-control (C2) server located in China and exhibits behavior common to other Android-based Trojans. It abuses Accessibility Services to gain deep control over infected devices and can overlay fake login screens on nearly 200 banking apps and cryptocurrency wallets to steal credentials.

Once installed, it establishes persistent communication with its C2 infrastructure via HTTP/HTTPS and opens a WebSocket connection to receive real-time instructions. In addition, it initiates a Real-Time Messaging Protocol (RTMP) session, enabling attackers to live-stream the victim’s screen activity.

Researchers warn that the Trojan’s command library is expanding, signaling ongoing development and support from its creators.

Initial Discovery and Distribution Tactics

PlayPraetor was first identified by CTM360 in March 2025, during an investigation into fraudulent mobile applications. At the time, attackers were distributing the Trojan through thousands of fake websites posing as the Google Play Store. These pages delivered malicious APK files, often disguised as legitimate apps.

Attackers promoted these fake sites using social media ads and SMS phishing messages, funneling unsuspecting users toward the malware.

“Links to counterfeit Play Store pages are widely shared through paid ads and SMS campaigns,” Cleafy researchers explained. “These messages lure users into downloading malware under the guise of trusted software.”

Once installed, PlayPraetor can:

• Steal banking credentials
• Monitor clipboard activity (e.g., for copied passwords or wallet addresses)
• Log keystrokes in real time

Five Known Variants of PlayPraetor

Security analysts have identified five distinct variants of the Trojan, each with unique attack vectors:

1. PWA – Disguised as Progressive Web Apps, these versions install fake app shells.
2. Phish – Built with WebView to load phishing content inside a native app wrapper.
3. Phantom – The most advanced variant, which abuses Accessibility Services for persistent control and C2 communication.
4. Veil – Distributed through invite-only links; used for fake products and phishing scams.
5. EagleSpy/SpyNote – Remote Access Trojan (RAT) versions offering full device control, including surveillance capabilities.

Among these, the Phantom variant is the most widespread and dangerous. It’s responsible for on-device fraud (ODF) and is actively maintained by two major threat actor groups, who reportedly control around 60% of the entire botnet—equating to roughly 4,500 devices, primarily in Portuguese-speaking regions.

“Phantom relies on Android’s Accessibility Services to carry out actions almost instantly, from the victim’s own device,” said Cleafy. “That makes it harder to detect and disrupt.”

Why PlayPraetor Matters

What makes PlayPraetor particularly dangerous isn’t just its technical sophistication—it’s the industrialized nature of its operations. The MaaS model enables affiliates to launch localized, targeted attacks at scale without writing a single line of code.

Researchers stress that the infrastructure behind PlayPraetor is mature, organized, and growing. Its expansion into multiple languages and regions, combined with rapid feature development and affiliate support, mirrors patterns seen in other major malware campaigns like Hydra and Alien.

“This campaign’s success is tied to a well-run operation, complete with affiliate distribution, ongoing support, and multilingual attack kits,” Cleafy concluded.

Practical Takeaways

If you're an Android user, here are a few simple ways to reduce the risk of infection:

• Avoid sideloading apps (never install APKs from unofficial websites or messages).
• Stick to official app stores like Google Play, and verify publisher reputations.
• Disable Accessibility Services for apps that don’t require them.
• Install reputable antivirus software that offers real-time threat detection.
• Regularly review app permissions, especially those with access to screen capture, SMS, and Accessibility.

Final Note

PlayPraetor is a textbook example of how modern malware campaigns now operate more like startups than scripts. Backed by professional infrastructure and designed for affiliate distribution, it signals yet another step toward the commoditization of mobile cybercrime.

As researchers continue to analyze its variants and C2 traffic, one thing is clear: PlayPraetor is not just a threat—it’s a product.