The malware, distributed via Meta ads and SMS messages, leverages meticulously crafted fake Play Store websites that closely mimic the official platform to deceive victims into downloading seemingly legitimate applications. A large-scale malware campaign targeting Android users through fraudulent Google Play Store download pages has been uncovered recently by CTM360. If granted accessibility services permissions, PlayPraetor can perform keystroke logging, prevent uninstallation attempts, and grant itself additional permissions automatically, creating a persistent threat to financial security. Once installed, the PlayPraetor Trojan harvests banking credentials, monitors clipboard activity, and logs keystrokes, allowing attackers to exploit victims’ data for financial gain. The PlayPraetor malware functions primarily as a banking trojan, retrieving targeted lists of financial applications from its C&C server. The name “PlayPraetor” draws inspiration from the influential praetor role in ancient Rome, reflecting how the trojan takes control of infected devices to extract sensitive information. The malware requests numerous dangerous permissions including access to SMS messages, location data, contacts, camera, and storage. It also transmits extensive device information including accessibility service status, current active applications, geographic location, battery status, and network details to its operators. The sophisticated operation, which they’ve named ‘PlayPraetor,’ has infected thousands of devices across South-East Asia, particularly targeting financial institutions and their customers. The malware continuously monitors clipboard contents, capturing sensitive information without requiring additional permissions. Cyber Security News is a Dedicated News Platform For Cyber News, Cyber Attack News, Hacking News & Vulnerability Analysis. The deceptive distribution method begins when users click on advertisements or links leading to impersonated Google Play Store pages. It specifically checks for banking and cryptocurrency wallet applications installed on the victim’s device, compiling details such as app ID, application name, and package name. With years of experience under his belt in Cyber Security, he is covering Cyber Security News, technology and other news. The impersonated webpage used as a medium for spreading the malware, complete with deceptive “Install” navigation buttons. Tushar is a Cyber security content editor with a passion for creating captivating and informative content. Are you from SOC/DFIR Teams? – Analyse Malware Incidents & get live Access with ANY.RUN -> Start Now for Free.
This Cyber News was published on cybersecuritynews.com. Publication date: Tue, 11 Mar 2025 14:35:19 +0000