PlayPraetor is a newly identified Android remote access trojan that has compromised over 11,000 devices, primarily in Portugal, Spain, France, Morocco, Peru, and Hong Kong. This malware exploits accessibility services to take remote control and is capable of overlaying fake login screens on around 200 banking and cryptocurrency apps. Its growth, exceeding 2,000 infections weekly, is fueled by campaigns targeting Spanish and French speakers. PlayPraetor is known for utilizing deceptive ads and fraudulent Google Play Store pages, facilitating an extensive scam network to harvest sensitive user data.
The botnet's rapid growth, which now exceeds 2,000 new infections per week, is driven by aggressive campaigns focusing on Spanish and French speakers, indicating a strategic shift away from its previous common victim base.
PlayPraetor does significantly deviate from other Android trojans in that it abuses accessibility services to gain remote control and can serve fake overlay login screens atop nearly 200 banking apps and cryptocurrency wallets in an attempt to hijack victim accounts.
These deceptive ads and messages trick users to click on the links, leading them to the fraudulent domains hosting the malicious APKs.
Assessed to be a globally coordinated operation, PlayPraetor comes in five different variants that install deceptive Progressive Web Apps (PWAs), WebView-based apps (Phish), exploit accessibility services for persistent and C2 (Phantom), facilitate invite code-based phishing and trick users into purchasing counterfeit products (Veil), and grant full remote control via EagleSpy and SpyNote (RAT).
Collection
[
|
...
]