A fast-spreading Android malware campaign has reached alarming levels in Africa, with Morocco emerging as a key hotspot.
Cybersecurity firm Cleafy reported last month that the PlayPraetor Remote Access Trojan (RAT) infected more than 11,000 devices globally in just three months, giving attackers full real-time control of victims’ smartphones to steal banking and cryptocurrency account credentials.
A Sophisticated Malware-as-a-Service Operation
The operation, first detailed by CTM360 and further investigated by Cleafy, is being run as a Malware-as-a-Service from a sophisticated Chinese-language command-and-control panel with multi-tenant architecture.
This setup enables multiple affiliates to operate simultaneously, with two major players controlling about 60% of the botnet and focusing on Portuguese-speaking users, while smaller operators target Chinese, Spanish, and French speakers.
How Victims Are Targeted
Victims are lured into downloading the malware through fake Google Play Store pages that convincingly mimic legitimate applications.
After installation, PlayPraetor exploits Android’s Accessibility Services to place fake login screens over legitimate apps, targeting nearly 200 banking and cryptocurrency wallet applications worldwide.
Europe remains the largest target region, accounting for 58% of infections, but the campaign’s reach extends to Latin America, Asia, and an increasingly targeted Africa. Morocco has seen a surge in infections, placing it among the top global targets.
The botnet is growing by more than 2,000 new devices each week, with attackers shifting their focus toward Spanish- and French-speaking users—an adjustment that places Morocco and other Francophone African nations at greater risk.
Cleafy’s analysis also shows continuous upgrades to the malware, including new commands designed to improve its fraud capabilities and evade detection.
Rising Threat to African Financial Security
Security experts warn that the scale and speed of PlayPraetor’s growth pose a serious risk to African banks and their customers.
Users are advised to avoid downloading apps from unofficial sources, limit unnecessary Accessibility permissions, install reputable mobile security tools, and closely monitor their accounts for suspicious activity.
Africa, with Morocco at the forefront, is now firmly in the crosshairs of one of the most dangerous and rapidly growing mobile fraud botnets seen this year.
About Author
