A large-scale malware campaign targeting Android users through fraudulent Google Play Store download pages has been uncovered recently by CTM360.
The sophisticated operation, which they’ve named ‘PlayPraetor,’ has infected thousands of devices across South-East Asia, particularly targeting financial institutions and their customers.
The malware, distributed via Meta ads and SMS messages, leverages meticulously crafted fake Play Store websites that closely mimic the official platform to deceive victims into downloading seemingly legitimate applications.
.png
)
.webp)
Once installed, the PlayPraetor Trojan harvests banking credentials, monitors clipboard activity, and logs keystrokes, allowing attackers to exploit victims’ data for financial gain.
CTM360 has identified over 6,000 instances of these fraudulent pages, underscoring the widespread nature of the campaign across multiple countries.
The name “PlayPraetor” draws inspiration from the influential praetor role in ancient Rome, reflecting how the trojan takes control of infected devices to extract sensitive information.
The deceptive distribution method begins when users click on advertisements or links leading to impersonated Google Play Store pages.
These fake sites display familiar app logos and layouts, creating a false sense of legitimacy. Upon clicking the download button, victims receive the malicious APK file instead of the expected legitimate application.
.webp)
The impersonated webpage used as a medium for spreading the malware, complete with deceptive “Install” navigation buttons.
Technical analysis reveals the malware targets Android versions 7.0 (SDK 24) through 13.0 (SDK 33).
Upon execution, it presents users with a login page requesting phone numbers and passwords before establishing connection with command-and-control servers at hxxps://ynadmwss[.]top:8081.
The malware requests numerous dangerous permissions including access to SMS messages, location data, contacts, camera, and storage.
Banking Trojan Capabilities
The PlayPraetor malware functions primarily as a banking trojan, retrieving targeted lists of financial applications from its C&C server.
.webp)
It specifically checks for banking and cryptocurrency wallet applications installed on the victim’s device, compiling details such as app ID, application name, and package name.
The malware continuously monitors clipboard contents, capturing sensitive information without requiring additional permissions.
.webp){kind=spacer}
It also transmits extensive device information including accessibility service status, current active applications, geographic location, battery status, and network details to its operators.
If granted accessibility services permissions, PlayPraetor can perform keystroke logging, prevent uninstallation attempts, and grant itself additional permissions automatically, creating a persistent threat to financial security.
Are you from SOC/DFIR Teams? – Analyse Malware Incidents & get live Access with ANY.RUN -> Start Now for Free.
