The newly uncovered RatOn Android malware isn’t just another Trojan; it’s a multi-layered weapon aimed at banking apps, crypto wallets, and unsuspecting users across Europe. What started as a tool for NFC relay attacks has morphed into a full-blown remote access trojan (RAT) with Automated Transfer System (ATS) features and ransomware tactics baked in.
RatOn Android malware blends NFC relay with ATS fraud
RatOn merges techniques usually seen in separate malware families. It can launch classic overlay attacks, conduct real-time automated transfers, and silently execute NFC relay fraud using a third-stage payload called NFSkate based on the NFCGate research tool.
This attack, known as Ghost Tap, lets RatOn exploit contactless payment systems by relaying authentication signals between two devices. Combined with its ability to hijack crypto wallets and banking apps, this makes RatOn an unusually complete mobile threat.
Targeted apps and geographic focus reveal calculated intent
So far, RatOn has zeroed in on Czech and Slovakian-speaking users. Its current targets include:
- MetaMask
- Trust Wallet
- Blockchain.com
- Phantom
- George Česko (banking app used in the Czech Republic)
The malware abuses Android accessibility permissions to read user input, spoof screens, and capture sensitive login data. It also runs ransomware-style overlays that falsely accuse users of viewing illegal content, demanding $200 in crypto while silently stealing wallet credentials in the background.
RatOn Android malware is built to break through security layers
The infection chain relies on convincing fake Play Store pages offering a TikTok 18+ app. Once installed, the dropper app requests device admin and installs RatOn in phases.
Key functions RatOn performs include:
- Sending fake push notifications (
send_push) - Recording screens (
record,display) - Installing payloads (
nfs) - Sending texts via accessibility abuse (
send_sms) - Performing automatic bank transfers (
transfer) - Locking the device (
lock) - Triggering crypto wallet takeovers using stored PINs
RatOn Android malware reflects a smarter, scarier generation of mobile threats
RatOn isn’t cobbled together from old malware. Analysts say it shares no code with known banking trojans. It’s new, clean, and built with purpose. And that purpose is to automate financial theft at scale while misleading victims into unlocking their own security layers.
This is malware with a human touch, disguised in urgency and fear, tuned for the apps people trust most. And it’s still evolving.
{{user}} {{datetime}}
{{text}}