Aug 04, 2025

Extended Rapid Response: Zimperium Expands Detection of PlayPraetors Android RAT Campaign with Additional Samples and Targets

zLabs

Cleafy’s latest analysis details PlayPraetors, a large-scale MaaS operation by Chinese-speaking actors that has infected 11,000+ Android devices in under three months. The campaign relies on fake Google Play Store pages to deliver the RAT and then abuses Android Accessibility Services to enable real-time on-device fraud (ODF) and remote control. According to the report, the botnet is adding ~2,000 new infections per week, with Europe most impacted (58% of victims)—notably Portugal, Spain, and France—and additional hotspots in Morocco, Peru, and Hong Kong. Targeting is financially motivated: operators deploy overlays and live-control tooling against nearly 200 banking apps and cryptocurrency wallets worldwide. 

The PlayPraetors operators run their infrastructure in a way that supports multiple affiliates at once, allowing them to expand the campaign quickly and across regions. Once a device is infected, attackers can see what’s happening on the victim’s screen in real time, capture credentials, access sensitive data such as contacts, MFAs and SMS messages, and even perform fraudulent transactions directly from the device. This combination of overlay attacks, live viewing, and flexible targeting enables the malware to adapt rapidly to different countries, brands, and financial institutions

Zimperium coverage: We detect all samples shared in Cleafy’s report with high accuracy and in a zero-day fashion via our on-device dynamic detection engine. In addition, our threat hunting efforts expanded the scope of this operation—we identified 116 additional samples linked to the same campaign, helping to strengthen defenses and increase takedown opportunities across the ecosystem. At the same time, we uncovered a staggering 3039 targeted applications worldwide. 

Why this matters now: PlayPraetors is not just another banking trojan—it’s an industrialized, affiliate-driven operation built to scale globally and to pivot quickly between languages, brands, and regions. The combination of fake store delivery, Accessibility-based ODF, overlay targeting thousands of financial apps, and live device streaming materially raises fraud success rates while keeping user-visible indicators low. Organizations with European footprints (especially Iberia and France) and those with exposure in Africa (Morocco), LATAM (Peru), and Asia (Hong Kong) should assume active targeting and ensure mobile defenses can block overlays, detect Accessibility abuse, and stop command-and-control activity on-device

For a full breakdown of PlayPreator's capabilities, read Cleafy report here.

Indicators of Compromise (IOCs)

The newly discovered IOCs can be found in the following repository.