Experts from Cleafy discovered a new Android Trojan called PlayPraetor. According to their data, it has already infected over 11,000 devices, with more than 2,000 new infections recorded each week.
Currently, the malware is targeting users in Portugal, Spain, France, Morocco, Peru, and Hong Kong, but researchers report active campaigns aimed at Spanish-speaking and French-speaking audiences. This means that the operators of the malware are now attempting to shift their focus from previous victim categories.
Furthermore, in recent weeks, the malware has increasingly spread among Spanish-speaking and Arabic-speaking users, suggesting that PlayPraetor now operates under a MaaS (Malware-as-a-Service) model.
Experts report that PlayPraetor connects to a command server located in China and does not significantly differ from other Android trojans: it exploits Accessibility services to gain remote control over the device and is also capable of overlaying phishing screens on top of nearly 200 banking applications and cryptocurrency wallets to steal credentials.
PlayPraetor was first discovered by the company CTM360 in March 2025. At that time, researchers noted that attackers were using thousands of fake pages disguised as the Google Play Store to spread the malware. This scheme allows the malware operators to steal banking credentials, monitor clipboard contents, and intercept keystrokes.
“Links to fake Google Play Store pages are distributed through advertisements on social media and via SMS messages, which helps attackers reach a wider audience, researchers explained. – Fake ads and messages prompt users to click on links that lead to sites with malicious APK files.”
Experts report that PlayPraetor exists in five variants:
- PWA — installs fake Progressive Web Apps;
- Phish — based on WebView applications;
- Phantom — uses Accessibility services for constant device monitoring and communication with a command server;
- Veil — supports phishing via invitation codes and offers fake products;
- EagleSpy/SpyNote — variants of RAT with full remote access.
According to Cleafy, the Phantom variant carries out fraud directly on the victim’s device (on-device fraud, ODF). It is managed by two key affiliated hacker groups, controlling approximately 60% of the botnet (about 4,500 infected devices), and their activity is primarily focused on Portuguese-speaking countries.
“The primary functionality is based on the abuse of Accessibility services in Android, which gives operators extensive and almost instantaneous control over the infected device,” noted Cleafy. “This allows for fraudulent activities to be carried out directly from the victim’s device.”
After installation, the malware connects to the command server via HTTP/HTTPS and establishes a WebSocket connection for bidirectional command transmission. An RTMP session (Real-Time Messaging Protocol) is also initiated, allowing the attackers to view a live stream of everything happening on the infected device’s screen.
The list of supported commands for the Trojan is constantly expanding, indicating active development of the malware.
“The success of this campaign is based on a well-tuned operational structure and a malware-as-a-service model involving multiple affiliates,” note Cleafy researchers. “This structure enables large-scale and targeted campaigns.”
2025.03.26 — Cloudflare to block all unencrypted traffic to its APIs
According to Cloudflare, effective immediately, only secure HTTPS connections to api.cloudflare.com will be accepted; while all HTTP ports are to be closed. The purpose of this decision…
Full article →
2025.04.23 — Improper authentication control vulnerability affects ASUS routers with AiCloud
ASUSTeK Computer Inc. fixed an improper authentication control vulnerability in routers with AiCloud. The bug allows remote attackers to perform unauthorized actions on vulnerable devices. The issue…
Full article →
2025.04.29 — FBI Offers 10 million USD for information on Salt Typhoon members
The FBI offers up to 10 million USD for information about members of the Chinese hacker group Salt Typhoon and last year's attack that had…
Full article →
2025.02.09 — Abandoned AWS S3 buckets could be used in attacks targeting supply chains
watchTowr discovered plenty of abandoned Amazon S3 buckets that could be used by attackers to deliver malware and backdoors to government agencies and large corporations. The researchers discovered…
Full article →
2025.02.01 — Critical RCE vulnerability fixed in Cacti
A critical vulnerability has been discovered in the open-source Cacti framework: it enables an authenticated attacker to remotely execute arbitrary code. Vulnerability's ID is CVE-2025-22604; its…
Full article →
2025.04.22 — Scammers pose as FBI IC3 specialists, offer 'assistance' to fraud victims
According to the FBI, scammers impersonating employees of the FBI Internet Fraud Complaint Center (IC3) contact fraud victims offering them 'assistance' in getting their money…
Full article →
2025.02.23 — New JavaScript obfuscation technique uses invisible Unicode characters
According to Juniper Threat Labs , a new JavaScript obfuscation technique that uses invisible Unicode characters was used in a phishing attack targeting Political Action…
Full article →
2025.04.04 — Privilege escalation vulnerability in Google Cloud resulting in sensitive data leaks finally patched
Tenable Research revealed details of a recently patched privilege escalation vulnerability in Google Cloud Platform (GCP) Cloud Run enabling an attacker to gain access to container images…
Full article →
2025.02.07 — 768 vulnerabilities were exploited by hackers in 2024
According to VulnCheck, 768 CVEs were registered as exploited in real-life attacks in 2024. This is 20% greater compared to 2023 when hackers exploited 639 vulnerabilities. Interestingly,…
Full article →
2025.01.30 — Hackers use vulnerabilities in SimpleHelp RMM to attack corporate networks
Experts believe that recently patched vulnerabilities in SimpleHelp Remote Monitoring and Management (RMM) were used by attackers to gain initial access to corporate networks. A number…
Full article →