A newly identified Android malware named RatOn has rapidly evolved from a simple tool for Near Field Communication (NFC) relay attacks into a sophisticated remote access trojan (RAT) with Automated Transfer System (ATS) capabilities, enabling large-scale banking fraud.

According to a report released by a Dutch mobile security firm, RatOn combines classic overlay attacks, automatic money transfers, and NFC relay functionality, making it an exceptionally versatile threat in the mobile banking malware landscape.

Targeting Banking and Crypto Apps

RatOn includes account takeover features aimed at popular cryptocurrency wallets such as MetaMask, Trust Wallet, Blockchain.com, and Phantom. Beyond crypto, it has demonstrated the ability to perform automated money transfers by exploiting George Česko, a Czech banking application.

The malware can also mimic ransomware tactics, deploying custom overlay pages to lock devices and pressure victims with extortion messages. Researchers note that similar techniques have been observed in other malware families like the HOOK Android trojan.

Active Development and Distribution

The first sample of RatOn was spotted on July 5, 2025, with new variants identified as recently as August 29, 2025, indicating active development and continuous refinement by its operators.

RatOn is distributed through malicious dropper apps disguised as “TikTok 18+” on fake Google Play Store pages. The campaign currently targets Czech and Slovakian-speaking users. Once installed, these apps bypass Android’s native security protections by requesting:

• Permissions to install third-party applications
• Device administrator rights
• Accessibility service privileges
• Access to contacts and system settings

A second-stage payload then downloads the NFSkate malware, which can perform NFC relay attacks using the Ghost Tap technique, first documented in late 2024.

Advanced Fraud Techniques

What makes RatOn particularly dangerous is its deep integration with targeted applications. ThreatFabric researchers highlight that the malware has been developed from scratch, with no code overlap with previous Android banking malware.

Its capabilities include:

• Overlay screens posing as ransom notes accusing victims of illicit activity and demanding a $200 crypto payment within two hours.
• Forcing victims to unlock cryptocurrency wallet apps, where RatOn can:
  • Use stolen PINs to access wallets
  • Extract secret seed phrases
  • Take over security settings
• Keylogging sensitive data, which is then exfiltrated to attacker-controlled servers.

This allows the operators to steal cryptocurrency assets directly by leveraging stolen recovery phrases and account credentials.

Command and Control Features

RatOn supports a wide range of commands, demonstrating its versatility as a full-scale RAT. These include:

• send_push – fake push notifications
• screen_lock – modify lock screen timeouts
• app_inject – target specific financial apps
• transfer – perform ATS transactions
• nfs – download and execute NFSkate malware
• record – start a screen casting session
• send_sms – send SMS messages via accessibility services

Other commands allow attackers to interact with apps like WhatsApp and Facebook, modify contacts, or remotely lock devices.

Geographic Focus

So far, RatOn’s campaigns appear to be concentrated in the Czech Republic, with Slovakia likely to be targeted next. Researchers suggest that the attackers may be working with local money mules, as the ATS fraud requires domestic banking account numbers to complete transactions.

Conclusion

The discovery of RatOn underscores the increasing sophistication of Android banking malware and highlights the risks posed by NFC relay attacks combined with automated fraud mechanisms.

Organizations, financial institutions, and end-users must remain vigilant, ensuring that:

• Only trusted sources (like the official Google Play Store) are used for app installations.
• Device permissions are carefully reviewed.
• Advanced mobile security monitoring solutions are deployed.

RatOn exemplifies how modern threat actors continue to innovate, blending traditional malware techniques with banking-specific fraud automation to maximize financial gain.

Source: https://thehackernews.com/2025/09/raton-android-malware-detected-with-nfc.html