Particle.news

Download on the App Store

PlayPraetor Android Trojan Surges Past 11,000 Infections, Shifting Focus to Spanish and French Users

Meta ads pushing fake store pages fuel more than 2,000 new device compromises each week

Image
Image

Overview

  • PlayPraetor has compromised over 11,000 Android devices worldwide and continues to grow by more than 2,000 new infections weekly, with recent campaigns focusing on Spanish- and French-speaking victims.
  • Operators distribute the RAT through deceptive Google Play Store pages advertised via Meta ads and SMS campaigns that trick users into installing malicious APKs.
  • By abusing Android’s accessibility services, the malware gains remote control and overlays fake login screens atop nearly 200 banking apps and cryptocurrency wallets to harvest credentials and conduct on-device fraud.
  • The malware is offered as a multi-affiliate service featuring five variants—Phish, Phantom, Veil, EagleSpy and SpyNote—each tailored for different phishing and remote-access tactics.
  • Its Chinese-language command-and-control panel uses HTTP/S, WebSocket and RTMP channels to enable real-time device interaction and dynamically generate spoofed app pages for targeted campaigns.