A newly identified Android remote access trojan (RAT) named “PlayPraetor” has infected more than 11,000 smartphones globally, including in Morocco, Portugal, Spain, France, Peru, and Hong Kong, according to cybersecurity news outlet SC Media. Researchers report the malware is spreading rapidly, with over 2,000 new infections weekly.
PlayPraetor targets Spanish- and French-speaking users through aggressive campaigns utilizing a sophisticated malware-as-a-service (MaaS) model. Cybersecurity firm Cleafy has identified five variants, including “Phantom,” which focuses on Portuguese-speaking users and exploits Android’s accessibility services to hijack devices. Other versions disguise themselves as fake Progressive Web Apps, WebView apps, phishing tools, and RATs.
Cleafy researchers describe the operation as a broad, highly targeted campaign run by multiple affiliates, coordinated through a Chinese command-and-control server, raising questions about its origin and intent.
This discovery coincides with another Android malware campaign, “ToxicPanda,” which has compromised nearly 3,000 devices primarily in Portugal. Experts warn that mobile malware is evolving rapidly and advise users in affected regions to avoid downloading unknown apps and carefully monitor app permissions.
The scale and precision of PlayPraetor mark a significant evolution in mobile cyberattacks.