RatOn, a new type of Android malware, has evolved from a simple tool for Near Field Communication (NFC) relay attacks into a sophisticated remote access trojan. This trojan has the capability to conduct device fraud through what's known as an Automated Transfer System (ATS).
According to a report from the Dutch mobile security company ThreatFabric, RatOn is a particularly dangerous threat because it combines traditional overlay attacks with automatic money transfers and NFC relay functions.
How RatOn Works and What It Targets
This banking trojan can take over accounts for several cryptocurrency wallet apps, including MetaMask, Trust, Blockchain.com, and Phantom. It can also automatically transfer money from George Cesko, a popular banking app in the Czech Republic. In some cases, RatOn can even act like ransomware, using custom overlay pages and locking devices. This behavior has also been seen in a variant of the HOOK Android trojan.
ThreatFabric first detected a sample of RatOn on July 5, 2025, and has continued to find more recent versions, indicating that its developers are still actively improving it.
The malware is spread through fake Google Play Store pages, which host malicious dropper apps disguised as an adult-friendly version of TikTok called "TikTok 18+." It is unclear how users are directed to these sites, but this activity has primarily targeted Czech and Slovakian-speaking users.
Infiltration and Escalation
Once a user installs the dropper app, it asks for permission to install apps from third-party sources. This allows the malware to bypass Google's security measures for Android's accessibility services. The second stage of the malware then requests extensive permissions, including the ability to manage the device, read contacts, and manage system settings.
RatOn then grants itself more permissions as needed and downloads a third stage of malware: the NFSkate malware. This tool uses a technique called Ghost Tap to perform NFC relay attacks. NFSkate was first documented in November 2024.
According to ThreatFabric, the creators of RatOn have a deep understanding of their target applications, as evidenced by the malware's account takeover and automated transfer features. The company also noted that RatOn was built from scratch and does not share code with other Android banking malware.
Ransomware-like Features
RatOn can also display fake ransom notes that claim a user's phone has been locked for viewing or distributing child pornography. The notes demand a $200 cryptocurrency payment within two hours to regain access. These notes are designed to create a sense of urgency, forcing the victim to open their cryptocurrency app and make a quick payment. This allows the attackers to capture the device PIN and steal the funds.
ThreatFabric detailed how the malware can use a stolen PIN to unlock a targeted cryptocurrency wallet app. The malware then navigates the app's security settings and reveals the user's secret phrases. This sensitive information is recorded by a keylogger and sent to a server controlled by the attackers, who then use the phrases to access and steal the victim's cryptocurrency.
Some of the commands RatOn can process include:
- send_push: Sends fake push notifications.
- screen_lock: Changes the device screen lock timeout.
- WhatsApp: Launches the WhatsApp application.
- app_inject: Changes the list of targeted financial applications.
- update_device: Sends a list of installed apps and device information.
- send_sms: Sends a text message using accessibility services.
- Facebook: Launches the Facebook application.
- nfs: Downloads and runs the NFSkate malware.
- transfer: Performs an automated transfer using the George Česko app.
- lock: Locks the device using administrative access.
- add_contact: Creates a new contact with a specified name and phone number.
- record: Launches a screen casting session.
- display: Turns screen casting on or off.
ThreatFabric believes the hackers initially focused on the Czech Republic and are likely to target Slovakia next. The reason for their focus on a single banking app is unclear, but the need for local bank account numbers for automated transfers suggests they may be working with local money mules.
Found this article interesting? Follow us on X(Twitter) ,Threads and FaceBook to read more exclusive content we post.
