The Android malware, RatOn, is a multi-faceted threat that has recently emerged, showing significant evolution from its initial form as a basic NFC relay tool. This sophisticated remote access trojan is designed for device fraud and now features Automated Transfer System (ATS) capabilities. According to a report from a Dutch mobile security company, RatOn stands out because it masterfully combines traditional overlay attacks with NFC relay functionality and automatic money transfers, making it a particularly potent danger to mobile users. The trojan is capable of taking over accounts, specifically targeting popular cryptocurrency wallets like MetaMask, Trust, Blockchain.com, and Phantom. It can also execute automated money transfers from the George Česko bank app, which is widely used in the Czech Republic. Additionally, RatOn can mimic ransomware by using custom overlay pages to lock devices and demand payment.
The malware was first detected in July 2025, and continued development has been noted, with new variants appearing as recently as August 2025. Its operators use deceptive tactics to distribute the trojan, primarily by creating fake Play Store listings for malicious dropper apps. A notable example is a listing that masquerades as an adult version of TikTok, known as “TikTok 18+.” It’s unclear how users are being directed to these fraudulent sites, but the activity has been observed to target Czech and Slovakian-speaking users. Once a user installs the dropper app, it immediately requests permission to install applications from third-party sources. This is a crucial step for the malware, as it allows it to bypass critical security measures designed to prevent the abuse of Android’s accessibility services.
After the initial installation, the dropper app proceeds to download and execute the second-stage payload. This payload requests a number of highly sensitive permissions from the user, including device administration, accessibility services, contact access, and the ability to manage system settings. These permissions are essential for the malware to carry out its malicious functions. The payload uses these permissions to grant itself additional privileges and to download a third-stage malware. This final payload is identified as NFSkate (also known as NGate), which is a variant of a legitimate research tool called NFCGate. NFSkate is specifically designed to perform NFC relay attacks using a technique known as Ghost Tap. This malware family was first documented by security researchers in August 2024.
The developers of RatOn appear to have a deep understanding of the internal workings of their targeted applications. This is evidenced by the malware’s sophisticated account takeover and automated transfer features. The threat is unique in that it was reportedly built from scratch and shares no code similarities with other Android banking malware, according to ThreatFabric. A particularly insidious feature of RatOn is its use of ransomware-like overlay screens. These screens display a fake ransom note, falsely claiming the user’s phone has been locked for viewing child pornography and demanding a cryptocurrency payment to unlock it.
It is suspected that these ransom notes are designed to create a sense of urgency, forcing the victim to open one of their targeted cryptocurrency apps to make the payment. During this process, the malware captures the user’s device PIN code. This stolen PIN is then used to hijack the victim’s cryptocurrency accounts without their knowledge. RatOn can automatically launch the targeted crypto wallet app, use the stolen PIN to unlock it, and then navigate to the security settings to reveal the user’s secret phrases. This sensitive data is then recorded by a keylogger and sent to the threat actors’ server. Using these secret phrases, the attackers can gain unauthorized access to the victim’s accounts and steal their cryptocurrency.
Reference:
