Current Cyber Threats

PlayPraetor Android Trojan Infects 11,000+ Devices via Fake Google Play Pages and Meta Ads


Summary:
Cleafy's Threat Intelligence team uncovered a global Malware-as-a-Service campaign that had been distributing the PlayPraetor remote access trojan (RAT) via fake impersonations of Google Play Store websites. It has infected over 11,000 Android devices worldwide, with particularly dense numbers found in Europe (Portugal, Spain, France), and observable spreads in Morocco, Peru, and Hong Kong. The campaign uses Meta Ads and SMS text to drive traffic to these spoofed websites, which then trick victims into installing malicious APKs masquerading as legitimate apps. When installed, PlayPraetor enables attackers to gain full control of the device via Android Accessibility Services and overlay attacks on nearly 200 banking and cryptocurrency apps and wallets.

Security Officer Comments:
The campaign is appalling in scope and sophistication. In fewer than three months, operators brought onboard thousands of devices with a Chinese-language, multi-tenant C2 infrastructure to manage fake app page generation and infection processes automatically. It's not just spam malware, it enables on-device fraud to be managed real-time via a solid three-protocol setup (HTTP/S, WebSocket, RTMP). PlayPraetor's modus operandi of requesting only minimal permissions (mostly Accessibility access) makes it stealthy and undetectable by antivirus tools. As the affiliate model shifts its focus towards Spanish and French speakers—diverting from its historical Portuguese-language origins, Latin American and European financial institutions become increasingly at risk.

Suggested Corrections:

  • Educate users to only install apps from the official Google Play Store and to avoid clicking links from ads, SMS, or unknown sources.
  • Block or screen Meta Ads and SMS traffic that lead to impersonated app pages.
  • Deploy mobile endpoint protection that alerts on apps requesting Accessibility permissions or overlay capabilities.
  • Monitor for suspicious installations or overlay behavior in financial or clipboard-sensitive applications.
  • Review and strengthen fraud detection systems specific to on-device behavior, especially in multilingual user communities.

Link(s):
https://www.cleafy.com/cleafy-labs/...speaking-actors-globally-scale-an-android-rat

Contact Us for Threat Assistance

Back to Current Threats