Menu

  • Alerts
  • Incidents
  • News
  • APTs
  • Cyber Decoded
  • Cyber Hygiene
  • Cyber Review
  • Cyber Tips
  • Definitions
  • Malware
  • Threat Actors
  • Tutorials

Useful Tools

  • Password generator
  • Report an incident
  • Report to authorities
No Result
View All Result
CTF Hack Havoc
CyberMaterial
  • Education
    • Cyber Decoded
    • Definitions
  • Information
    • Alerts
    • Incidents
    • News
  • Insights
    • Cyber Hygiene
    • Cyber Review
    • Tips
    • Tutorials
  • Support
    • Contact Us
    • Report an incident
  • About
    • About Us
    • Advertise with us
Get Help
Hall of Hacks
  • Education
    • Cyber Decoded
    • Definitions
  • Information
    • Alerts
    • Incidents
    • News
  • Insights
    • Cyber Hygiene
    • Cyber Review
    • Tips
    • Tutorials
  • Support
    • Contact Us
    • Report an incident
  • About
    • About Us
    • Advertise with us
Get Help
No Result
View All Result
Hall of Hacks
CyberMaterial
No Result
View All Result
Home Alerts

RatOn Malware Hits Android Banking

September 11, 2025
Reading Time: 3 mins read
in Alerts
SAP Patches Critical NetWeaver Flaw

The Android malware, RatOn, is a multi-faceted threat that has recently emerged, showing significant evolution from its initial form as a basic NFC relay tool. This sophisticated remote access trojan is designed for device fraud and now features Automated Transfer System (ATS) capabilities. According to a report from a Dutch mobile security company, RatOn stands out because it masterfully combines traditional overlay attacks with NFC relay functionality and automatic money transfers, making it a particularly potent danger to mobile users. The trojan is capable of taking over accounts, specifically targeting popular cryptocurrency wallets like MetaMask, Trust, Blockchain.com, and Phantom. It can also execute automated money transfers from the George Česko bank app, which is widely used in the Czech Republic. Additionally, RatOn can mimic ransomware by using custom overlay pages to lock devices and demand payment.

The malware was first detected in July 2025, and continued development has been noted, with new variants appearing as recently as August 2025. Its operators use deceptive tactics to distribute the trojan, primarily by creating fake Play Store listings for malicious dropper apps. A notable example is a listing that masquerades as an adult version of TikTok, known as “TikTok 18+.” It’s unclear how users are being directed to these fraudulent sites, but the activity has been observed to target Czech and Slovakian-speaking users. Once a user installs the dropper app, it immediately requests permission to install applications from third-party sources. This is a crucial step for the malware, as it allows it to bypass critical security measures designed to prevent the abuse of Android’s accessibility services.

After the initial installation, the dropper app proceeds to download and execute the second-stage payload. This payload requests a number of highly sensitive permissions from the user, including device administration, accessibility services, contact access, and the ability to manage system settings. These permissions are essential for the malware to carry out its malicious functions. The payload uses these permissions to grant itself additional privileges and to download a third-stage malware. This final payload is identified as NFSkate (also known as NGate), which is a variant of a legitimate research tool called NFCGate. NFSkate is specifically designed to perform NFC relay attacks using a technique known as Ghost Tap. This malware family was first documented by security researchers in August 2024.

The developers of RatOn appear to have a deep understanding of the internal workings of their targeted applications. This is evidenced by the malware’s sophisticated account takeover and automated transfer features. The threat is unique in that it was reportedly built from scratch and shares no code similarities with other Android banking malware, according to ThreatFabric. A particularly insidious feature of RatOn is its use of ransomware-like overlay screens. These screens display a fake ransom note, falsely claiming the user’s phone has been locked for viewing child pornography and demanding a cryptocurrency payment to unlock it.

It is suspected that these ransom notes are designed to create a sense of urgency, forcing the victim to open one of their targeted cryptocurrency apps to make the payment. During this process, the malware captures the user’s device PIN code. This stolen PIN is then used to hijack the victim’s cryptocurrency accounts without their knowledge. RatOn can automatically launch the targeted crypto wallet app, use the stolen PIN to unlock it, and then navigate to the security settings to reveal the user’s secret phrases. This sensitive data is then recorded by a keylogger and sent to the threat actors’ server. Using these secret phrases, the attackers can gain unauthorized access to the victim’s accounts and steal their cryptocurrency.

Reference:

  • RatOn Android Malware Uses NFC Relay and ATS Techniques for Banking Fraud
Tags: Cyber AlertsCyber Alerts 2025CyberattackCybersecuritySeptember 2025
ADVERTISEMENT

Related Posts

Hackers Target Libraesva Email Flaw

Hackers Target Libraesva Email Flaw

September 30, 2025
Hackers Target Libraesva Email Flaw

ShadowV2 Botnet Targets Misconfigured AWS

September 30, 2025
Hackers Target Libraesva Email Flaw

Cisco Warns Of IOS Zero Day Bug

September 30, 2025
Fake Microsoft Teams Installers Spread

Fake Microsoft Teams Installers Spread

September 30, 2025
Fake Microsoft Teams Installers Spread

Cybercriminals Use Facebook Google Ads

September 30, 2025
Fake Microsoft Teams Installers Spread

CISA Warns Of Critical Sudo Flaw

September 30, 2025

Latest Alerts

Hackers Target Libraesva Email Flaw

ShadowV2 Botnet Targets Misconfigured AWS

Cisco Warns Of IOS Zero Day Bug

CISA Warns Of Critical Sudo Flaw

Cybercriminals Use Facebook Google Ads

Fake Microsoft Teams Installers Spread

Subscribe to our newsletter

    Latest Incidents

    Ukrainian Hackers Breach Crimean Servers

    Ransomware Gang Claims Maryland Breach

    Arizona School District Data Breach

    Attackers Take Down Asahi Brewer

    Harrods Alerts Customers To Breach

    Hackers Steal Photos From Kido Nursery

    CyberMaterial Logo
    • About Us
    • Contact Us
    • Jobs
    • Legal and Privacy Policy
    • Site Map

    © 2025 | CyberMaterial | All rights reserved

    Welcome Back!

    Login to your account below

    Forgotten Password?

    Retrieve your password

    Please enter your username or email address to reset your password.

    Log In

    Add New Playlist

    No Result
    View All Result
    • Alerts
    • Incidents
    • News
    • Cyber Decoded
    • Cyber Hygiene
    • Cyber Review
    • Definitions
    • Malware
    • Cyber Tips
    • Tutorials
    • Advanced Persistent Threats
    • Threat Actors
    • Report an incident
    • Password Generator
    • About Us
    • Contact Us
    • Advertise with us

    Copyright © 2025 CyberMaterial