A new Android malware called RatOn has evolved from a basic tool capable of conducting Near Field Communication (NFC) relay attacks to a sophisticated remote access trojan with Automated Transfer System (ATS) capabilities to conduct device fraud.
“RatOn merges traditional overlay attacks with automatic money transfers and NFC relay functionality – making it a uniquely powerful threat,” the Dutch mobile security company said in a report published today.
The banking trojan comes fitted with account takeover functions targeting cryptocurrency wallet applications like MetaMask, Trust, Blockchain.com, and Phantom, while also capable of carrying out automated money transfers abusing George Česko, a bank application used in the Czech Republic.
Furthermore, it can perform ransomware-like attacks using custom overlay pages and device locking. It’s worth noting that a variant of the HOOK Android trojan was also observed incorporating ransomware-style overlay screens to display extortion messages.
The first sample distributing RatOn was detected in the wild on July 5, 2025, with more artifacts discovered as recently as August 29, 2025, indicating active development work on the part of the operators.
RatOn has leveraged fake Play Store listing pages masquerading as an adult-friendly version of TikTok (TikTok 18+) to host malicious dropper apps that deliver the trojan. It’s currently not clear how users are lured to these sites, but the activity has singled out Czech and Slovakian-speaking users.
Once the dropper app is installed, it requests permission from the user to install applications from third-party sources so as to bypass critical security measures imposed by Google to prevent abuse of Android’s accessibility services.
The second-stage payload then proceeds to request device administration and accessibility services, as well as permissions to read/write contacts and manage system settings to realize its malicious functionality.
This includes granting itself additional permissions as required and downloading a third-stage malware, which is nothing but the NFSkate malware that can perform NFC relay attacks using a technique called Ghost Tap. The malware family was first documented in November 2024.
“The account takeover and automated transfer features have shown that the threat actor knows the internals of the targeted applications quite well,” ThreatFabric said, describing the malware as built from scratch and sharing no code similarities with other Android banking malware.
That’s not all. RatOn can also serve overlay screens that resemble a ransom note, claiming that users’ phones have been locked for viewing and distributing child pornography and that they need to pay $200 in cryptocurrency to regain access in two hours.
It’s suspected that the ransom notes are designed to induce a false sense of urgency and coerce the victim into opening the cryptocurrency apps, making the transaction immediately, and enabling the attackers to capture the device PIN code in the process.
“Upon corresponding command, RatOn can launch the targeted cryptocurrency wallet app, unlock it using stolen PIN code, click on interface elements which are related to security settings of the app, and on the final step, reveal secret phrases,” ThreatFabric said, detailing its account takeover features.
The sensitive data is subsequently recorded by a keylogger component and exfiltrated to an external server under the control of the threat actors, who can then use the seed phrases to obtain unauthorized access to the victims’ accounts and steal cryptocurrency assets.
Some notable commands that are processed by RatOn are listed below –
- send_push, to send fake push notifications
- screen_lock, to change the device lock screen timeout to a specified value
- WhatsApp, to launch WhatsApp
- app_inject, to change the list of targeted financial applications
- update_device, to send a list of installed apps with device fingerprint
- send_sms, to send a SMS message using accessibility services
- Facebook, to launch Facebook
- nfs, to download and run the NFSkate APK malware
- transfer, perform ATS using George Česko
- lock, to lock the device using device administration access
- add_contact, to create a new contact using a specified name and phone number
- record, to launch a screen casting session
- display, to turn on/off screen casting
“The threat actor group initially targeted the Czech Republic, with Slovakia likely being the next country of focus,” ThreatFabric said. “The reason behind concentrating on a single banking application remains unclear. However, the fact that automated transfers require local banking account numbers suggests that the threat actors may be collaborating with local money mules.”
