Thursday, March 20, 2025
HomeAndroidPlayPraetor Malware Targets Android Users via Fake Play Store Apps to Steal...

PlayPraetor Malware Targets Android Users via Fake Play Store Apps to Steal Passwords

Published on

SIEM as a Service

Follow Us on Google News

A sophisticated malware campaign, dubbed PlayPraetor, has been uncovered by cybersecurity firm CTM360.

This operation involves creating fake Google Play Store websites that deceive users into downloading malicious Android applications.

These apps, though appearing legitimate, are actually advanced banking Trojans designed to steal sensitive user information, including banking credentials and clipboard data.

Operation Details

The PlayPraetor malware is part of a large-scale scam that has been identified across over 6,000 fraudulent web pages.

These fake Play Store sites are crafted to closely resemble the official platform, featuring familiar icons and layouts to build trust with potential victims.

Once a user clicks the “Download” button, they are prompted to install an APK file that is actually the PlayPraetor Trojan.

This malware can log keystrokes, capture screen content, and continuously monitor clipboard activity to steal sensitive data such as login credentials and cryptocurrency addresses.

The distribution of these malicious links is primarily through Meta Ads and SMS messages, which effectively reach a wide audience.

Scammers exploit psychological triggers like free offers or urgent security warnings to pressure users into quick decisions without verifying the legitimacy of the apps.

Upon installation, the malware communicates with its command and control (C&C) server to retrieve a list of targeted banking and cryptocurrency wallet applications.

According to the researchers, it then checks for these apps on the compromised device and sends relevant information back to the server.

Monetization and Impact

The primary motive behind these attacks is financial gain.

Threat actors exploit stolen data by draining funds from compromised accounts, making unauthorized transactions, or selling the accounts on dark web marketplaces.

Additionally, the malware can intercept SMS messages, including one-time passwords used for multi-factor authentication, allowing attackers to bypass security measures.

The malware may also engage in ad fraud by silently running in the background to generate fake traffic or subscribe victims to premium services without their consent.

The scale and complexity of this operation indicate a highly coordinated effort to compromise users globally, particularly in South-East Asia.

Users are advised to be cautious when downloading apps, ensuring they are from the official Google Play Store and not from suspicious links or websites.

Regularly updating security software and being vigilant about app permissions can also help mitigate the risk of such malware infections.

Are you from SOC/DFIR Teams? – Analyse Malware Incidents & get live Access with ANY.RUN -> Start Now for Free.

Aman Mishra
Aman Mishra
Aman Mishra is a Security and privacy Reporter covering various data breach, cyber crime, malware, & vulnerability.

Latest articles

Dragon RaaS Leading “Five Families” Crimeware with New Initial Access & Exploitation Tactics

Dragon RaaS, a ransomware group known for its blend of hacktivism and cybercrime, has...

Zero-Hour Phishing Attacks Exploiting Browser Vulnerabilities Surge by 130%

Menlo Security, a leader in Secure Enterprise Browsers, has released its annual State of...

Babuk2 Ransomware Issues Fake Extortion Demands Using Data from Old Breaches

Recent investigations by the Halcyon RISE Team have uncovered a concerning trend in the...

Massive “DollyWay” Malware Attack Compromises 20,000+ WordPress Sites Worldwide

A significant malware operation, dubbed "DollyWay," has been uncovered by GoDaddy Security researchers, revealing...

Supply Chain Attack Prevention

Free Webinar - Supply Chain Attack Prevention

Recent attacks like Polyfill[.]io show how compromised third-party components become backdoors for hackers. PCI DSS 4.0’s Requirement 6.4.3 mandates stricter browser script controls, while Requirement 12.8 focuses on securing third-party providers.

Join Vivekanand Gopalan (VP of Products – Indusface) and Phani Deepak Akella (VP of Marketing – Indusface) as they break down these compliance requirements and share strategies to protect your applications from supply chain attacks.

Discussion points

Meeting PCI DSS 4.0 mandates.
Blocking malicious components and unauthorized JavaScript execution.
PIdentifying attack surfaces from third-party dependencies.
Preventing man-in-the-browser attacks with proactive monitoring.

More like this

Dragon RaaS Leading “Five Families” Crimeware with New Initial Access & Exploitation Tactics

Dragon RaaS, a ransomware group known for its blend of hacktivism and cybercrime, has...

Zero-Hour Phishing Attacks Exploiting Browser Vulnerabilities Surge by 130%

Menlo Security, a leader in Secure Enterprise Browsers, has released its annual State of...

Babuk2 Ransomware Issues Fake Extortion Demands Using Data from Old Breaches

Recent investigations by the Halcyon RISE Team have uncovered a concerning trend in the...