PlayPraetor Android Trojan infection process

Cybersecurity researchers have identified a new Android remote access trojan (RAT) named PlayPraetor, which has infected over 11,000 devices, primarily in Portugal, Spain, France, Morocco, Peru, and Hong Kong. The botnet is rapidly growing, with more than 2,000 new infections weekly, targeting Spanish and French speakers.

PlayPraetor Android Trojan infection processPlayPraetor Android Trojan infection process

Managed by a Chinese command-and-control (C2) panel, PlayPraetor distinguishes itself by abusing accessibility services to gain remote control and displaying fake login screens for nearly 200 banking apps and cryptocurrency wallets to hijack accounts. First documented by CTM360 in March 2025, the malware uses fraudulent Google Play Store pages to execute a large-scale scam that harvests banking credentials, monitors clipboard activity, and logs keystrokes.

PlayPraetor Android Trojan infection processPlayPraetor Android Trojan infection process

Links to these fake Play Store pages are distributed through Meta Ads and SMS messages, tricking users into downloading malicious APKs. PlayPraetor operates in five variants, each with different functionalities, including on-device fraud and remote control capabilities.