A large-scale Malware-as-a-Service (MaaS) campaign operated by Chinese-speaking threat actors has deployed the PlayPraetor Android Remote Access Trojan (RAT) on over 11,000 devices worldwide, using sophisticated affiliate infrastructure and overlay attacks to target nearly 200 banking and crypto apps.
In recent months, the Cleafy Threat Intelligence team documented the PlayPraetor RAT’s dramatic expansion, particularly in Europe — where 58% of infections occur — with major clusters in Portugal, Spain, and France. Additional high-impact regions include Africa (Morocco), Latin America (Peru), and Asia (Hong Kong). The botnet is growing at more than 2,000 new infections per week, as affiliates increasingly focus on Spanish- and French-speaking targets, diverging from earlier Chinese-language demographics.
The campaign is coordinated through a Chinese-language, multi-tenant Command & Control panel that manages operations in real time. This panel streamlines affiliate activity with tools that automate the creation of customized malware landing pages and manage distribution. After being installed through deceptive Google Play Store lookalikes, PlayPraetor leverages Android Accessibility Services to carry out overlay attacks and gain live access to victims’ devices.
PlayPraetor remains in active development, with frequent updates introducing new commands and refined targeting logic to enhance its effectiveness and evade detection. Analysts have identified new code variants tailored to specific operators and geographic regions, featuring customized payloads and repackaged app icons designed to optimize social engineering and improve infection rates.
The RAT’s overlay mechanism is particularly deceptive — victims interact with what appear to be legitimate banking or wallet app interfaces while PlayPraetor silently executes malicious actions in the background. Overlay attacks are executed against nearly 200 global apps, giving attackers access to credentials and transactions across a range of financial services.
Another defining trait of this campaign is its low detection rate. By requesting only minimal Android permissions — mainly NFC and Accessibility — PlayPraetor stays under the radar of most antivirus tools, allowing it to operate stealthily and at scale. Its Malware-as-a-Service model further enhances this by enabling affiliates to generate custom builds using individual login credentials, complicating attribution and minimizing the likelihood of detection.
The PlayPraetor operation represents a fast-evolving mobile fraud threat, fueled by sophisticated social engineering, scalable infrastructure, and advanced overlay-based RAT capabilities. Its aggressive global expansion and real-time targeting of financial applications highlight the urgent need for enhanced mobile security, behavioral detection systems, and region-specific countermeasures—especially in high-risk areas and language zones.
Leave a Reply