A sophisticated malware-as-a-service operation orchestrated by Chinese-speaking threat actors has successfully compromised over 11,000 Android devices worldwide through the deployment of PlayPraetor, a powerful Remote Access Trojan designed for on-device fraud.The campaign represents a significant escalation in mobile banking malware operations, with the botnet expanding at an alarming rate of over 2,000 new infections per week.The PlayPraetor [malware](https://cybersecuritynews.com/chatgpt-powered-malware-analysis/) employs a deceptive distribution strategy, impersonating legitimate Google Play Store pages to trick victims into downloading malicious applications.Once installed, the malware leverages Android’s Accessibility Services to gain comprehensive real-time control over [compromised devices](https://cybersecuritynews.com/microsoft-detect-compromised-devices/), enabling operators to conduct fraudulent transactions directly from the victim’s device.The operation targets nearly 200 banking applications and cryptocurrency wallets globally, demonstrating the breadth of its financial fraud capabilities.Geographic analysis reveals a strategically focused campaign rather than random widespread infection. Europe bears the heaviest impact, accounting for 58% of all compromised devices, with particularly high concentrations in Portugal, Spain, and France.Cleafy analysts [identified](https://www.cleafy.com/cleafy-labs/playpraetors-evolving-threat-how-chinese-speaking-actors-globally-scale-an-android-rat) that the campaign also maintains significant presence across Africa (22%), the Americas (12%), and Asia (8%), with notable hotspots in Morocco, Peru, and Hong Kong respectively.The malware’s technical sophistication is evident in its multi-protocol communication architecture. Of the 11,000 infected devices, approximately 7,931 have successfully enabled the required Accessibility service, representing a 72% activation rate that effectively places these devices under complete operator control.**Advanced Communication Infrastructure and Command Execution**—————————————————————PlayPraetor implements a robust three-tier communication strategy that ensures persistent control over infected devices.The malware initiates contact through HTTP/HTTPS protocols, systematically iterating through hardcoded command-and-control domains via the `/app/searchPackageName` endpoint.This resilient heartbeat mechanism provides fault tolerance against infrastructure takedowns. Once connectivity is established, the malware activates two specialized channels for real-time operations. .webp) C2 Dashboard with real-time infection statistics (Source — Cleafy)A persistent WebSocket connection over port 8282 creates a bidirectional command channel, while an RTMP stream on port 1935 provides live video [surveillance](https://cybersecuritynews.com/google-meta-apple-fuel-surveillance/) of the device screen through the endpoint `rtmp://[C2]:1935/live/`.This dual-channel approach enables operators to monitor victim activities in real-time while executing fraudulent transactions. .webp) Device Remote Control Section (Source — Cleafy)The WebSocket channel processes six primary command types: `update` for configuration modifications, `init` for campaign registration, `alert_arr` for overlay configuration, `report_list` for target application management, `heartbeat_web` for connection maintenance, and `message` for sub-command execution. .webp) Malware Delivery Page (Source — Cleafy)Data exfiltration occurs through dedicated HTTP endpoints including `/app/saveDevice` for device fingerprinting, `/app/saveContacts` and `/app/saveSms` for personal data harvesting, and `/app/saveCardPwd` for financial credential theft.The operation utilizes a sophisticated Chinese-language control panel featuring multi-tenant architecture that supports independent affiliate management while sharing centralized infrastructure, demonstrating the professional nature of this criminal enterprise.**Integrate **ANY.RUN TI Lookup** with your SIEM or SOAR To Analyses Advanced Threats** –> **[Try 50 Free Trial Searches](https://intelligence.any.run/plans?utm_source=csn_jul&utm_medium=atricle&utm_campaign=want-to-detect-incidents-before&utm_content=plans1&utm_term=290725)**The post [11,000 Android Devices Hacked by Chinese Threats Actors to Deploy PlayPraetor Malware](https://cybersecuritynews.com/11000-android-devices-hacked-by-chinese-threats-actors/) appeared first on [Cyber Security News](https://cybersecuritynews.com).
Related Tags:
Play
NAICS: 517 – Telecommunications
NAICS: 52 – Finance And Insurance
NAICS: 518 – Computing Infrastructure Providers
Data Processing
Web Hosting
Related Services
NAICS: 523 – Securities
Commodity Contracts
Other Financial Investments And Related Activities
NAICS: 522 – Credit Intermediation And Related Activities
NAICS: 51 – Information
Financial Theft
Blog: Cybersecurity News
Associated Indicators: