Post

PlayPraetor Android RAT Rapidly Expands Across Spanish and French-Speaking Regions

Discover the alarming spread of PlayPraetor Android RAT, infecting over 11,000 devices in Spanish and French-speaking regions. Learn about its tactics, targets, and the global cyber threat it poses.

PlayPraetor Android RAT Rapidly Expands Across Spanish and French-Speaking Regions

TL;DR

The PlayPraetor Android RAT has infected over 11,000 devices, predominantly in Spanish and French-speaking regions. This malware targets banking apps and crypto wallets, using sophisticated tactics to control infected devices in real-time. The rapid spread and innovative operational model make it a significant global cyber threat.

PlayPraetor Android RAT: A Rapidly Spreading Cyber Threat

Cleafy researchers have identified a new Android Remote Access Trojan (RAT) called PlayPraetor, which has infected over 11,000 devices, primarily in Portugal, Spain, France, Morocco, Peru, and Hong Kong. The malware is spreading rapidly, with more than 2,000 new infections weekly, targeting Spanish and French speakers in a notable shift in strategy.

Global Reach and Targeted Campaigns

PlayPraetor is managed via a Chinese-language command and control (C2) panel with a multi-tenant setup, enabling multiple affiliates to run campaigns. The majority of victims are in Europe, with 58% of infections in Portugal, Spain, and France, followed by Morocco, Peru, and Hong Kong. Two main operators dominate 60% of the botnet, focusing on Portuguese speakers, while smaller affiliates target Chinese, Spanish, and French users. The RAT abuses Android Accessibility Services for real-time control and targets nearly 200 banking apps and crypto wallets.

“By abusing Android’s Accessibility Services, the operators gain real-time control of the infected device.”

Technical Capabilities and Innovations

The malware uses a resilient multi-protocol C2 setup:

  • Heartbeat checks via HTTP/S
  • Real-time commands via WebSocket (port 8282)
  • Screen streaming via RTMP (port 1935)

PlayPraetor has been misclassified as SpyNote in threat databases due to overlaps in infrastructure with other malware families used in concurrent campaigns.

Operational Model and Distribution Methods

PlayPraetor is a global Android malware campaign that began as a localized threat impersonating banking apps and expanded using over 16,000 fake Google Play Store URLs. The attackers trick users into downloading malicious apps or revealing sensitive data. The campaign includes five variants: Phish, RAT, PWA, Phantom (aka PlayPraetor), and Veil. Each variant has unique attack methods. Cleafy began analyzing the Phantom variant in April 2025, confirming fake Play Store pages as the primary distribution method.

“While technically PlayPraetor does not deviate from other modern Android banking trojans, implementing well-established techniques for On-Device Fraud through the abuse of Android’s Accessibility Services, its innovation lies in its operational model.”

Rapid Expansion and Global Impact

By May, activity surged in Southern Europe and LATAM, marking PlayPraetor’s evolution into a major global cyber threat. The analysis of the PlayPraetor C2 panel, which is in Chinese, revealed it to be a multi-tenant control hub for managing infected devices and running phishing campaigns.

C2 Panel Interface

It enables affiliates to operate independently while using shared infrastructure. Key features include real-time device control, app launching, data exfiltration, and impersonation tools. The panel also lets operators create fake Google Play-like pages to deliver malware.

Fake Google Play Page

Its modular, customizable design allows quick deployment of phishing pages using pre-registered domains, indicating a well-organized, professional threat operation.

“PlayPraetor represents another significant entry from Chinese-speaking threat actors into the global financial fraud landscape. This trend, exemplified by recent campaigns such as ToxicPanda and Supercard X, demonstrates an increasing interest from TAs in this region in developing and deploying sophisticated attack vectors against financial institutions worldwide.”

Conclusion

The PlayPraetor Android RAT poses a significant threat to financial institutions and individuals worldwide. Its rapid expansion and innovative operational model highlight the increasing sophistication of cyber threats. Staying informed and vigilant is crucial to protect against such evolving dangers.

References

This post is licensed under CC BY 4.0 by the author.