Cybersecurity researchers have discovered a nascent Android remote access trojan (RAT) called PlayPraetor that has infected more than 11,000 devices, primarily across Portugal, Spain, France, Morocco, Peru, and Hong Kong.
“The botnet’s rapid growth, which now exceeds 2,000 new infections per week, is driven by aggressive campaigns focusing on Spanish and French speakers, indicating a strategic shift away from its previous common victim base,” Cleafy researchers Simone Mattia, Alessandro Strino, and Federico Valentini said in an analysis of the malware.
PlayPraetor, managed by a Chinese command-and-control (C2) panel, does significantly deviate from other Android trojans in that it abuses accessibility services to gain remote control and can serve fake overlay login screens atop nearly 200 banking apps and cryptocurrency wallets in an attempt to hijack victim accounts.
PlayPraetor was first documented by CTM360 in March 2025, detailing the operation’s use of thousands of fraudulent Google Play Store download pages to perpetrate an interconnected large-scale scam campaign that can harvest banking credentials, monitor clipboard activity, and log keystrokes.
“The links to the impersonated Play Store pages are distributed through Meta Ads and SMS messages to effectively reach a wide audience,” the Bahrain-based company noted at the time. “These deceptive ads and messages trick users to click on the links, leading them to the fraudulent domains hosting the malicious APKs.”
Assessed to be a globally coordinated operation, PlayPraetor comes in five different variants that install deceptive Progressive Web Apps (PWAs), WebView-based apps (Phish), exploit accessibility services for persistent and C2 (Phantom), facilitate invite code-based phishing and trick users into purchasing counterfeit products (Veil), and grant full remote control via EagleSpy and SpyNote (RAT).
The Phantom variant of PlayPraetor, per the Italian fraud prevention company, is capable of on-device fraud (ODF) and is dominated by two principal affiliate operators who control about 60% of the botnet (roughly 4,500 compromised devices) and appear to center their efforts around Portuguese-speaking targets.
“Its core functionality relies on abusing Android’s accessibility services to gain extensive, real-time control over a compromised device,” Cleafy said. “This allows an operator to perform fraudulent actions directly on the victim’s device.”
 |
| Image Source: CTM360 |
Once installed, the malware beacons out to the C2 server via HTTP/HTTPS and makes use of a WebSocket connection to create a bidirectional channel to issue commands. It also sets up a Real-Time Messaging Protocol (RTMP) connection to initiate a video livestream of the infected device’s screen.
The evolving nature of the supported commands indicates that PlayPraetor is being actively developed by its operators, allowing for comprehensive data theft. In recent weeks, attacks distributing the malware have increasingly targeted Spanish- and Arabic-speaking victims, signaling a broader expansion of the malware-as-a-service (MaaS) offering.
The C2 panel, for its part, is not only used to actively interact with compromised devices in real-time, but also enable the creation of bespoke malware delivery pages that mimic Google Play Store on both desktop and mobile devices.
“The campaign’s success is built upon a well-established operational methodology, leveraging a multi-affiliate MaaS model,” Cleafy said. “This structure allows for broad and highly targeted campaigns.”
PlayPraetor is the latest malware originating from Chinese-speaking threat actors with an aim to conduct financial fraud, a trend exemplified by the emergence of ToxicPanda and SuperCard X over the past year.
ToxicPanda Evolves
According to data from Bitsight, ToxicPanda has compromised around 3,000 Android devices in Portugal, followed by Spain, Greece, Morocco and Peru. Campaigns distributing the malware have leveraged TAG-1241, a traffic distribution system (TDS), for malware distribution using ClickFix and fake Google Chrome update lures.
“This carefully orchestrated redirection is part of the TDS’s design to ensure that only selected targets are funneled to these malicious endpoints,” security researcher Pedro Falé said in a report last week.
The latest version of ToxicPanda improves upon its predecessors by incorporating a Domain Generation Algorithm (DGA) to establish C2 and enhance operational resilience in the face of infrastructure takedowns. Also baked into the malware are new commands to set a fallback C2 domain and better control malicious overlays.
DoubleTrouble Rises
The findings come as Zimperium disclosed another sophisticated Android banking trojan dubbed DoubleTrouble that has evolved beyond overlay attacks to record the device screen, log keystrokes, and run various commands for data exfiltration and entrenched device control.
Besides leaning heavily on abusing Android’s accessibility services to carry out its fraudulent activities, DoubleTrouble’s distribution strategy involves leveraging bogus websites that host malware samples directly within Discord channels.
“The new functionalities include: displaying malicious UI overlays to steal PIN codes or unlock patterns, comprehensive screen recording capabilities, the ability to block the opening of specific applications, and advanced keylogging functionality,” Zimperium zLabs researcher Vishnu Madhav said.
