Ethical Hacking News
A new Android malware campaign known as PlayPraetor has been identified by researchers, infecting over 11,000 devices across Spanish and French-speaking regions. The malware uses real-time control via Android Accessibility Services and targets nearly 200 banking apps and crypto wallets. With its multi-tenant C2 setup and fake Google Play Store URLs, this campaign is expanding rapidly into a major global cyber threat.
The PlayPraetor Android RAT has infected over 11,000 devices in Spanish and French-speaking regions.The malware targets nearly 200 banking apps and crypto wallets using Android Accessibility Services for real-time control.The PlayPraetor campaign uses a resilient multi-protocol C2 setup with various attack methods across five variants.The malware operators have set up an infrastructure allowing them to distribute malicious code across various devices without individual management.The majority of infections are in Europe, particularly Portugal, Spain, and France.
In a recent report published by Cleafy, researchers have identified a new Android malware campaign known as PlayPraetor, which has been spreading rapidly across Spanish and French-speaking regions. According to the experts, the malware has infected over 11,000 devices, primarily in Portugal, Spain, France, Morocco, Peru, and Hong Kong.
The PlayPraetor Android RAT is managed via a Chinese-language C2 panel with a multi-tenant setup, enabling multiple affiliates to run campaigns simultaneously. This means that the malware operators have set up an infrastructure that allows them to distribute malicious code across various devices without having to manage each device individually. Most of the victims are in Europe, with 58% of infections in Portugal, Spain, and France, followed by Morocco, Peru, and Hong Kong.
Two main operators dominate 60% of the botnet, focusing on Portuguese speakers, while smaller affiliates target Chinese, Spanish, and French users. This suggests that the malware has been tailored to exploit vulnerabilities specific to certain regions or languages.
The PlayPraetor RAT abuses Android Accessibility Services for real-time control and targets nearly 200 banking apps and crypto wallets. By using these services, the attackers gain a high level of control over the infected device, allowing them to perform various malicious activities such as data exfiltration, app launching, and impersonation tools.
The malware uses a resilient multi-protocol C2 setup: heartbeat checks via HTTP/S, real-time commands via WebSocket (port 8282), and screen streaming via RTMP (port 1935). This allows the attackers to maintain communication with infected devices remotely and perform various malicious activities in real-time.
PlayPraetor has been misclassified as SpyNote in threat databases due to overlaps in infrastructure with other malware families used in concurrent campaigns. However, experts have noted that while it shares some similarities with other malware families, its operational model is distinct.
The malware campaign began as a localized threat impersonating banking apps and expanded using over 16,000 fake Google Play Store URLs. The attackers trick users into downloading malicious apps or revealing sensitive data. The campaign includes five variants: Phish, RAT, PWA, Phantom (aka PlayPraetor), and Veil.
Each variant had a unique attack method, which further complicates the analysis of this malware. Cleafy began analyzing the Phantom variant in April 2025, confirming fake Play Store pages as the primary distribution method.
By May, activity surged in Southern Europe and LATAM, marking PlayPraetor’s evolution into a major global cyber threat. The researchers have noted that while technically PlayPraetor does not deviate from other modern Android banking trojans, its innovative use of Android Accessibility Services for real-time control makes it stand out.
The analysis of the PlayPraetor C2 panel revealed it is a multi-tenant control hub for managing infected devices and running phishing campaigns. This setup enables affiliates to operate independently while using shared infrastructure. Key features include real-time device control, app launching, data exfiltration, and impersonation tools.
The panel also lets operators create fake Google Play-like pages to deliver malware, further underscoring the sophistication of this campaign.
Related Information:
https://www.ethicalhackingnews.com/articles/PlayPraetor-Android-RAT-A-Global-Cyber-Threat-Expanding-Across-Spanish-and-French-Speaking-Regions-ehn.shtml
https://securityaffairs.com/180760/malware/playpraetor-android-rat-expands-rapidly-across-spanish-and-french-speaking-regions.html
Published: Mon Aug 4 09:51:57 2025 by llama3.2 3B Q4_K_M
