Cybersecurity researchers have discovered a new remote access trojan for Android devices called PlayPraetor that has infected over 11,000 devices in several countries, with a special focus on Europe and Latin America. This malware has shown explosive growth, with more than 2,000 new infections per week, primarily targeting Spanish and French speakers, suggesting a strategic shift in its victim base.
Fraud and data theft
PlayPraetor stands out from other trojans by leveraging the accessibility services of Android to gain complete remote control over infected devices. The malware operators use this feature to display fraudulent login screens in over 200 banking and cryptocurrency applications, allowing for the theft of sensitive user data.
The trojan is part of a coordinated global operation and uses a malware-as-a-service (MaaS) model. PlayPraetor comes in various variants, each designed to execute different types of fraud. Its distribution methods include misleading advertising through ads on social media platforms and SMS sent to unsuspecting users, leading them to fake domains that host malicious applications.
In addition, PlayPraetor has the ability to monitor clipboard activity and log keystrokes, which allows attackers to carry out fraudulent actions without the victim noticing. The operation has been attributed to Chinese-speaking threat actors, and their campaigns resemble other recent criminal activities, such as those perpetrated by the ToxicPanda Trojan.
Researchers’ analyses highlight that the command and control panel of PlayPraetor not only facilitates real-time interaction with infected devices, but also allows the creation of counterfeit Google Play Store pages, amplifying its reach. With the sustained growth of this malware, the cybersecurity community remains vigilant against the evolution of these threatening fraud techniques.