Chinese Threat Actors Hack 11,000 Android Devices to Deploy PlayPraetor Malware

Chinese-speaking threat actors have used the PlayPraetor Remote Access Trojan (RAT) to infiltrate more than 11,000 Android devices globally in a sophisticated Malware-as-a-Service (MaaS) operation. This allows for on-device fraud (ODF) by controlling the device in real time.

First investigated by Cleafy Threat Intelligence in June 2025, the campaign impersonates legitimate Google Play Store pages to distribute malicious apps, marking a shift from localized threats to a global operation.

The botnet, active since early 2025, leverages a multi-tenant Chinese-language Command and Control (C2) panel that supports affiliates in scaling attacks.

This architecture facilitates automated creation of custom malware delivery pages, allowing operators to mimic trusted apps like Google Chrome and harvest sensitive data.

Europe bears the brunt with 58% of infections, concentrated in Portugal, Spain, and France, while significant hotspots emerge in Morocco (Africa), Peru (Latin America), and Hong Kong (Asia).

The operation’s growth exceeds 2,000 new infections weekly, driven by aggressive targeting of Spanish and French speakers, indicating a pivot from traditional Portuguese-speaking victims.

Advanced RAT Capabilities

PlayPraetor exploits Android’s Accessibility Services to grant operators full device control, employing HTTP/HTTPS for initial heartbeats, WebSocket for bidirectional commands over port 8282, and RTMP for real-time screen streaming over port 1935.

Key commands include “update” for configuration changes, “init” for device registration, and “report_list” for monitoring targeted apps, with exfiltration paths like /app/saveDevice for fingerprinting and /app/saveCardPwd for stealing banking credentials.

Analysis reveals active development, with streamlined sub-commands in June 2025 samples reducing from 55 to 52, introducing features like “add_volumes” and “card_unlock” for enhanced control.

The RAT deploys overlay attacks against nearly 200 global banking apps and cryptocurrency wallets, enabling credential harvesting and fraudulent transactions.

Affiliates, dominated by two principal operators controlling 60% of the botnet, specialize in linguistic demographics: one focuses 75% on Portuguese users, while others target Spanish (90% for some), French, Arabic, and diversified groups.

Temporal trends show exponential growth in Spanish infections, deceleration in Portuguese, and spikes in French and Arabic, signaling strategic expansions into new regions like Latin America and French-speaking areas.

Operational Insights

The C2 panel’s multi-tenant design segregates affiliate environments, offering tools for real-time device interaction, including screen streaming, app launching, and data exfiltration of contacts, SMS, and screenshots.

Phishing pages are customizable, with manual domain integration for modularity. This MaaS model lowers entry barriers, centralizing the kill chain and fostering global fraud.

According to the report, PlayPraetor aligns with trends from Chinese threat actors, akin to ToxicPanda and Supercard X, emphasizing scalable ODF not through novel techniques but through operational innovation.

With a 72% activation rate yielding nearly 8,000 fully controlled devices, the threat escalates risks to financial institutions.

Cleafy’s TLP:WHITE report, derived from a TLP:AMBER version shared with CERTs and LEAs, underscores continuous RAT adaptations for evasion and functionality, positioning PlayPraetor as a dynamic peril to the financial ecosystem.

Indicators of Compromise (IOCs)

Find this News Interesting! Follow us on Google News, LinkedIn, and X to Get Instant Updates!