Cleafy specialists have discovered a new Android Trojan, PlayPraetor. According to their data, it has already infected more than 11,000 devices, and more than 2,000 new infections are recorded every week.

The malware currently targets users in Portugal, Spain, France, Morocco, Peru, and Hong Kong, but researchers report active campaigns targeting Spanish- and French-speaking audiences, suggesting that malware operators are now trying to shift their focus from previous victim categories.

In addition, in recent weeks the malware has increasingly spread among Spanish-speaking and Arabic-speaking users, so it is assumed that PlayPraetor now operates on a MaaS (Malware-as-a-service) model.

Experts write that PlayPraetor communicates with a command and control server located in China and is not much different from other Android Trojans: it abuses Accessibility services to gain remote control over the device, and is also able to put phishing overlays on top of almost 200 banking apps and crypto wallets to steal credentials.

PlayPraetor was first discovered by CTM360 in March 2025. At the time, researchers noted that attackers were using thousands of fake pages disguised as the Google Play Store to distribute the malware. This scheme allows malware operators to steal banking credentials, monitor clipboard contents, and intercept keystrokes.

“Links to fake Google Play Store pages are distributed through social media ads and SMS messages, helping attackers reach a wider audience,” the researchers explained. “The fake ads and messages trick users into clicking on links that lead to sites with malicious APK files.”

Experts write that PlayPraetor exists in five variants:

• PWA - installs fake Progressive Web Apps;
• Phish - based on WebView applications;
• Phantom - uses Accessibility services to continuously monitor the device and communicate with the control server;
• Veil — supports phishing via invite codes and offers fake products;
• EagleSpy/SpyNote are RAT variants with full remote access.

According to Cleafy, the Phantom variant is an on-device fraud (ODF) malware. It is operated by two key affiliated hacker groups that control approximately 60% of the botnet (around 4,500 infected devices) and their activity is concentrated mainly in Portuguese-speaking countries.

“The core functionality is based on the abuse of Android’s Accessibility services, giving operators extensive and near-instantaneous control over the infected device,” Cleafy notes. “This allows fraudulent activity to be carried out directly from the victim’s device.”

Once installed, the malware contacts the command and control server via HTTP/HTTPS and establishes a WebSocket connection for two-way command transmission. It also starts an RTMP (Real-Time Messaging Protocol) session, through which attackers can view a live broadcast of everything that happens on the screen of the infected device.

The list of supported Trojan commands is constantly growing, which indicates active development of the malware.

“The success of this campaign is based on a well-established operational structure and a malware-as-a-service model involving multiple affiliates,” Cleafy researchers note. “This structure allows for large-scale and targeted campaigns.”