PlayPraetor: New Android RAT Infects 11,000+ Devices with Real-Time On-Device Fraud

A large-scale cyber fraud campaign is sweeping across continents, exploiting Android devices. Security researchers at Cleafy have uncovered the inner workings of PlayPraetor, a Remote Access Trojan (RAT) distributed as part of a Malware-as-a-Service (MaaS) operation orchestrated by Chinese-speaking threat actors. Since its emergence, the campaign has infected over 11,000 devices globally, with more than 2,000 new infections weekly.

While infections have been recorded across Europe, Africa, Latin America, and Asia, Europe stands as the campaign’s primary target — accounting for 58% of compromised devices, particularly in Portugal, Spain, and France. Other notable hotspots include Morocco, Peru, and Hong Kong.

According to Cleafy, this strategic targeting is not arbitrary but rather tailored by language demographics. The botnet’s affiliate system, driven by a multi-tenant Chinese-language C2 panel, allows operators to specialize in regions and languages:

• Affiliate 10008 targets Portuguese speakers (75% of victims)
• Affiliate 10010 focuses on Spanish-speaking users (90% of infections)
• Affiliate 10019 prioritizes French and Arabic-speaking victims

“This proportional view reveals several distinct operational archetypes based on their targeting strategy,” Cleafy explains.

PlayPraetor is not just another Android RAT. Its power lies in exploiting Android’s Accessibility Services to allow complete real-time control of infected devices — a hallmark of On-Device Fraud (ODF).

The malware uses three communication channels:

• HTTP/HTTPS: Heartbeat and data exfiltration
• WebSocket (port 8282): Real-time command execution
• RTMP (port 1935): Live screen streaming to operators

Among the capabilities uncovered:

• Overlay attacks on nearly 200 global banking apps and crypto wallets
• Live device control via the C2 panel interface
• Credential theft, including SMS, contacts, screenshots, and payment card details

Cleafy notes that “the newly introduced sub-commands — such as add_volumes, card_unlock, and wake — point to the development of new capabilities related to device control.”

Cleafy’s reverse engineering of different PlayPraetor versions reveals continuous updates aimed at enhancing functionality and evasion. Between February and June 2025, the RAT evolved from 55 to 52 sub-commands, dropping outdated features and integrating new control capabilities.

Moreover, PlayPraetor’s C2 panel simplifies every stage of the attack lifecycle. From device takeover to phishing site generation, the panel empowers affiliates to:

• Launch real-time fraud directly from the dashboard
• Deploy fake Google Play Store pages mimicking legitimate apps like Google Chrome
• Insert domains manually and customize page elements, such as app icons and descriptions

“A dedicated section within the panel is specifically designed to create and administer decoy landing pages that convincingly mimic legitimate platforms.”

The latest data shows a strategic pivot: Spanish-speaking users are now the largest demographic of new infections, particularly in Spain and Latin America. This shift coincides with a deceleration in Portuguese-speaking targets and a rising interest in French and Arabic-speaking users.

Drawing comparisons to other Chinese-speaking MaaS campaigns like ToxicPanda and Supercard X, Cleafy warns that:

“PlayPraetor represents another significant entry from Chinese-speaking threat actors into the global financial fraud landscape.”

Related Posts:

• DroidBot: A New Android Threat Exposes Global Financial Institutions
• Over 1,500 Devices Infected: Android Trojan ToxicPanda Targets Banks in Europe and Latin America
• Google Boosts Real-Time Protection Against Scams and Malware on Android Devices
• Google Unleashes “Search Live”: Converse with AI in Real-Time for Mobile Search
• ValleyRAT Campaign Leverages Shellcode and Social Engineering to Target Chinese Speakers