Chinese Threat Actors Hack 11,000 Android Devices to Deploy PlayPraetor Malware

Chinese-speaking threat actors have used the PlayPraetor Remote Access Trojan (RAT) to infiltrate more than 11,000 Android devices globally in a sophisticated Malware-as-a-Service (MaaS) operation. This allows for on-device fraud (ODF) by controlling the device in real time.

First investigated by Cleafy Threat Intelligence in June 2025, the campaign impersonates legitimate Google Play Store pages to distribute malicious apps, marking a shift from localized threats to a global operation.

The botnet, active since early 2025, leverages a multi-tenant Chinese-language Command and Control (C2) panel that supports affiliates in scaling attacks.

This architecture facilitates automated creation of custom malware delivery pages, allowing operators to mimic trusted apps like Google Chrome and harvest sensitive data.

Europe bears the brunt with 58% of infections, concentrated in Portugal, Spain, and France, while significant hotspots emerge in Morocco (Africa), Peru (Latin America), and Hong Kong (Asia).

The ...