Overview

• PlayPraetor has compromised over 11,000 Android devices worldwide and continues to grow by more than 2,000 new infections weekly, with recent campaigns focusing on Spanish- and French-speaking victims.
• Operators distribute the RAT through deceptive Google Play Store pages advertised via Meta ads and SMS campaigns that trick users into installing malicious APKs.
• By abusing Android’s accessibility services, the malware gains remote control and overlays fake login screens atop nearly 200 banking apps and cryptocurrency wallets to harvest credentials and conduct on-device fraud.
• The malware is offered as a multi-affiliate service featuring five variants—Phish, Phantom, Veil, EagleSpy and SpyNote—each tailored for different phishing and remote-access tactics.
• Its Chinese-language command-and-control panel uses HTTP/S, WebSocket and RTMP channels to enable real-time device interaction and dynamically generate spoofed app pages for targeted campaigns.