A new Android malware called RatOn has evolved from a basic tool capable of conducting Near Field Communication (NFC) relay attacks to a sophisticated remote access trojan with Automated Transfer System (ATS) capabilities to conduct device fraud.
“RatOn merges traditional overlay attacks with automatic money transfers and NFC relay functionality – making it a uniquely powerful threat,” the Dutch mobile security company said in a report published today.
The banking trojan comes fitted with account takeover functions targeting cryptocurrency wallet applications like MetaMask, Trust, Blockchain.com, and Phantom, while also capable of carrying out automated money transfers abusing George ÄŒesko, a bank application used in the Czech Republic.
Furthermore, it can perform ransomware-like attacks using custom overlay pages and device locking. It’s worth noting that a variant of the HOOK Android trojan was also observed incorporating ransomware-style overlay screens to display extortion messages.
The first sample distributing RatOn was detected in the wild on July 5, 2025, with more artifacts discovered as recently as August 29, 2025, indicating active development work on the part of the operators.
RatOn has leveraged fake Play Store listing pages masquerading as an adult-friendly version of TikTok (TikTok 18+) to host malicious dropper apps that deliver the trojan. It’s currently not clear how users are lured to these sites, but the activity has singled out Czech and Slovakian-speaking users.
Once the dropper app is installed, it requests permission from the user to install applications from third-party sources so as to bypass critical security measures imposed by Google to prevent abuse of Android’s accessibility services.
The second-stage payload then proceeds to request device administration and accessibility services, as well as permissions to read/write contacts and manage system settings to realize its malicious functionality.
This includes granting itself additional permissions as required and downloading a third-stage malware, which is nothing but the NFSkate malware that can perform NFC relay attacks using a technique called Ghost Tap. The malware family was first documented in November 2024.
“The account takeover and automated transfer features have shown that the threat actor knows the internals of the targeted applications quite well,” ThreatFabric said, describing the malware as built from scratch and sharing no code similarities with other Android banking malware.
That’s not all. RatOn can also serve overlay screens that resemble a ransom note, claiming that users’ phones have been locked for viewing and distributing child pornography and that they need to pay $200 in cryptocurrency to regain access in two hours.
It’s suspected that the ransom notes are designed to induce a false sense of urgency and coerce the victim into opening the cryptocurrency apps,…
Source link
Disclaimer
We strive to uphold the highest ethical standards in all of our reporting and coverage. We blogs.grocliq.com want to be transparent with our readers about any potential conflicts of interest that may arise in our work. It’s possible that some of the investors we feature may have connections to other businesses, including competitors or companies we write about. However, we want to assure our readers that this will not have any impact on the integrity or impartiality of our reporting. We are committed to delivering accurate, unbiased news and information to our audience, and we will continue to uphold our ethics and principles in all of our work. Thank you for your trust and support.
Website Upgradation is going on for any glitch kindly connect at [email protected]
