Security researchers at Italian firm Cleafy warn that a new Android remote-access Trojan dubbed “PlayPraetor” has compromised more than 11,000 smartphones and is adding roughly 2,000 new victims each week. The campaign relies on hundreds of spoofed Google Play Store pages promoted through Meta advertising and SMS lures; once installed, the rogue apps masquerade as legitimate banking or cryptocurrency tools. PlayPraetor abuses Android’s Accessibility Services to obtain full real-time control of a device. The malware can stream the screen, capture keystrokes, read clipboard contents and launch overlay pages that harvest credentials for nearly 200 mobile-banking applications and crypto wallets. Victims have reported fraudulent transfers shortly after infection. While infections have been logged in more than 60 countries, the operators are currently concentrating on Spanish- and French-speaking users. Portugal, Spain and France account for 58 % of the botnet, followed by Morocco, Peru and Hong Kong. Cleafy’s telemetry shows two principal affiliates controlling about 60 % of all compromised devices. Behind the scenes, a Chinese-language, multi-tenant command-and-control platform lets affiliates rent access and run parallel campaigns. The infrastructure uses a three-layer protocol—HTTP/S for heartbeat checks, WebSocket on port 8282 for commands, and RTMP on port 1935 for live screen streams—making takedowns harder. Analysts say PlayPraetor’s tactics mirror recent Chinese-linked fraud kits such as ToxicPanda, underscoring a broader shift toward professionally managed, export-grade mobile malware. Users are advised to download apps only from the official Play Store, scrutinise developer reputations and keep Android accessibility permissions disabled unless strictly required.