Play Masquerading Party (PMP) Report

PlayPraetor Variants | Analysis by CTM360
hero background graphics
Play Masquerading Party (PMP) Report: A visual representation of the global Play Store impersonation campaign, showcasing multiple malware variants and their regional targeting

Overview

CTM360 has now identified a much larger extent of the ongoing PlayPraetor campaign. What started with 6,000+ URLs linked to a specific banking attack has now grown to 16,000+ impersonation sites across multiple malware variants. This research is ongoing, with further discoveries expected in the coming days.

As before, the newly discovered Play Store impersonations are mimicking legitimate app listings—tricking users into installing malicious Android applications or exposing sensitive personal information. While initially appearing isolated, further analysis confirms this is a globally coordinated campaign, posing a serious threat to the integrity of the Play Store ecosystem.

The latest findings include five new variants—Phish, RAT, PWA, Phantom, and Veil—each exhibiting distinct behaviors, from phishing and credential theft to remote access and stealth-based persistence. CTM360’s in-depth analysis maps out their attack lifecycle, regional targeting, and evolving tactics.

Read the full report to explore variant behaviors, detection insights, and actionable recommendations.