A sophisticated malware campaign, dubbed PlayPraetor, has been uncovered by cybersecurity firm CTM360.
This operation involves creating fake Google Play Store websites that deceive users into downloading malicious Android applications.
These apps, though appearing legitimate, are actually advanced banking Trojans designed to steal sensitive user information, including banking credentials and clipboard data.
Operation Details
The PlayPraetor malware is part of a large-scale scam that has been identified across over 6,000 fraudulent web pages.
These fake Play Store sites are crafted to closely resemble the official platform, featuring familiar icons and layouts to build trust with potential victims.
Once a user clicks the “Download” button, they are prompted to install an APK file that is actually the PlayPraetor Trojan.
This malware can log keystrokes, capture screen content, and continuously monitor clipboard activity to steal sensitive data such as login credentials and cryptocurrency addresses.
The distribution of these malicious links is primarily through Meta Ads and SMS messages, which effectively reach a wide audience.
Scammers exploit psychological triggers like free offers or urgent security warnings to pressure users into quick decisions without verifying the legitimacy of the apps.
Upon installation, the malware communicates with its command and control (C&C) server to retrieve a list of targeted banking and cryptocurrency wallet applications.
According to the researchers, it then checks for these apps on the compromised device and sends relevant information back to the server.
Monetization and Impact
The primary motive behind these attacks is financial gain.
Threat actors exploit stolen data by draining funds from compromised accounts, making unauthorized transactions, or selling the accounts on dark web marketplaces.
Additionally, the malware can intercept SMS messages, including one-time passwords used for multi-factor authentication, allowing attackers to bypass security measures.
The malware may also engage in ad fraud by silently running in the background to generate fake traffic or subscribe victims to premium services without their consent.
The scale and complexity of this operation indicate a highly coordinated effort to compromise users globally, particularly in South-East Asia.
Users are advised to be cautious when downloading apps, ensuring they are from the official Google Play Store and not from suspicious links or websites.
Regularly updating security software and being vigilant about app permissions can also help mitigate the risk of such malware infections.
Are you from SOC/DFIR Teams? – Analyse Malware Incidents & get live Access with ANY.RUN -> Start Now for Free.
