11,000 Android Devices Hacked by Chinese Threats Actors to Deploy PlayPraetor Malware

A sophisticated malware-as-a-service operation orchestrated by Chinese-speaking threat actors has successfully compromised over 11,000 Android devices worldwide through the deployment of PlayPraetor, a powerful Remote Access Trojan designed for on-device fraud.

The campaign represents a significant escalation in mobile banking malware operations, with the botnet expanding at an alarming rate of over 2,000 new infections per week.

The PlayPraetor malware employs a deceptive distribution strategy, impersonating legitimate Google Play Store pages to trick victims into downloading malicious applications.

Once installed, the malware leverages Android’s Accessibility Services to gain comprehensive real-time control over compromised devices, enabling operators to conduct fraudulent transactions directly from the victim’s device.

The operation targets nearly 200 banking applications and cryptocurrency wallets globally, demonstrating the breadth of its financial fraud capabilities.

Geographic analysis reveals a strategically focused campaign rather than random widespread infection. Europe bears the heaviest impact, accounting for 58% of all compromised devices, with particularly high concentrations in Portugal, Spain, and France.

Cleafy analysts identified that the campaign also maintains significant presence across Africa (22%), the Americas (12%), and Asia (8%), with notable hotspots in Morocco, Peru, and Hong Kong respectively.

The malware’s technical sophistication is evident in its multi-protocol communication architecture. Of the 11,000 infected devices, approximately 7,931 have successfully enabled the required Accessibility service, representing a 72% activation rate that effectively places these devices under complete operator control.

Advanced Communication Infrastructure and Command Execution

PlayPraetor implements a robust three-tier communication strategy that ensures persistent control over infected devices.

The malware initiates contact through HTTP/HTTPS protocols, systematically iterating through hardcoded command-and-control domains via the /app/searchPackageName endpoint.

This resilient heartbeat mechanism provides fault tolerance against infrastructure takedowns. Once connectivity is established, the malware activates two specialized channels for real-time operations.

A persistent WebSocket connection over port 8282 creates a bidirectional command channel, while an RTMP stream on port 1935 provides live video surveillance of the device screen through the endpoint rtmp://[C2]:1935/live/.

This dual-channel approach enables operators to monitor victim activities in real-time while executing fraudulent transactions.

The WebSocket channel processes six primary command types: update for configuration modifications, init for campaign registration, alert_arr for overlay configuration, report_list for target application management, heartbeat_web for connection maintenance, and message for sub-command execution.

Data exfiltration occurs through dedicated HTTP endpoints including /app/saveDevice for device fingerprinting, /app/saveContacts and /app/saveSms for personal data harvesting, and /app/saveCardPwd for financial credential theft.

The operation utilizes a sophisticated Chinese-language control panel featuring multi-tenant architecture that supports independent affiliate management while sharing centralized infrastructure, demonstrating the professional nature of this criminal enterprise.

Integrate ANY.RUN TI Lookup with your SIEM or SOAR To Analyses Advanced Threats -> Try 50 Free Trial Searches