Cybersecurity researchers have discovered a new Android remote access trojan (rat) called PlayPraetor, which infected more than 11,000 devices, mainly in Portugal, Spain, France, Morocco, Peru, and Hong Kong.
“The rapid growth of botnets, which is currently over 2,000 new infections per week, is driven by an aggressive campaign focused on Spanish and French speakers, indicating a strategic shift from previous victim bases.”
Managed by the Chinese Command and Control (C2) panel, PlayPraetor is a major departure from other Android Trojans in that it can abuse accessibility services to gain remote control and provide fake overlay login screens on nearly 200 bank apps and cryptocurrency wallets in attempts to hijack victim accounts.
PlayPraetor, first documented by CTM360 in March 2025, detailed its operation on thousands of fraudulent Google Play Store download pages to harvest banking qualifications, monitor clipboard activity, and run a massive, interconnected fraud campaign that allows you to monitor keystrokes.
“Links to impersonated playstore pages are distributed through meta ads and SMS messages to effectively reach a wide range of audiences,” the Bahrain-based company said at the time. “These deceptive ads and messages lead users to fraudulent domains that trick users into clicking on links and host malicious APKs.”
Rated as a globally tuned operation, PlayPraetor has five different variations that leverage false progressive web apps (PWAS), WebView-based apps (PHISH), Persistent and C2 (Phantom) accessibility services, encouraging code-based phishing and invitations for Trick users.
According to the Italian fraud prevention company, PlayPraetor’s Phantom variant is capable of on-device fraud (ODF), controlled by two major affiliate operators who control about 60% of the botnet (about 4,500 infringing devices) and are dominated by two major affiliate operators working on Portuguese-speaking targets.
“Its core functionality relies on the abuse of Android’s accessibility services to control compromised devices at scale in real time,” Cleafy said. “This allows operators to perform fraudulent actions directly on the victim’s device.”
Image source: CTM360
Once installed, the malware beacons to the C2 server via HTTP/HTTPS and creates a bi-directional channel for issuing commands using WebSocket connections. It also sets up a Real-Time Messaging Protocol (RTMP) connection to start a live video stream of the screen of an infected device.
The evolving nature of supported commands indicates that PlayPraetor is actively developed by operators, enabling comprehensive data theft. In recent weeks, malware distributing attacks have increasingly targeted Spanish and Arabic-speaking victims, indicating a widespread expansion in the provision of Malware as a Service (MAAS) services.
The C2 panel is not only used to actively interact with compromised devices in real time, but also allows for the creation of bespoke malware delivery pages that mimic the Google Play Store on both desktop and mobile devices.
“The success of the campaign is built on a well-established operational methodology and leverages the multi-affiliate MAAS model,” Kleef said. “This structure allows for a wide range of targeted campaigns.”
PlayPraetor is the latest malware derived from Chinese-speaking threat actors that aim to engage in financial fraud. This is a trend exemplified in the appearance of poison pandas and Super Card X over the past year.
Toxic Pandas evolve
According to Bitsight data, Toxypanda compromised around 3,000 Android devices in Portugal, followed by Spain, Greece, Morocco and Peru. The malware distribution campaign utilizes TAG-1241, a traffic distribution system (TDS) for malware distribution using ClickFix and a fake Google Chrome update lure.
“This carefully coordinated redirection is part of the design of TDS, which ensures that only selected targets are focused on these malicious endpoints,” security researcher Pedro Fare said in a report last week.
The latest version of Toxicpanda improves its predecessor by incorporating a domain generation algorithm (DGA) to establish C2 and increasing operational resilience in the face of infrastructure takedowns. Also, new commands are burned into the malware to set up a fallback C2 domain and provide better control over malicious overlays.
DoubleTrouble Rises
The findings arise when Zimperium uncovers another refined Android Banking Trojan called Double Trouble. It evolves beyond overlay attacks, records device screens, records keystrokes, and executes various commands for data removal and entrenched device control.
In addition to its strong leaning towards abuse of Android accessibility services and carrying out fraudulent activities, DoubleTrouble’s distribution strategy includes leveraging fake websites that host malware samples directly within the Discord channel.
“New features include stealing pincodes, displaying malicious UI overlays that unlock patterns, comprehensive screen recording capabilities, blocking the opening of certain applications, and advanced keylogging capabilities.”
Source link
