RatOn Android Malware Identified: NFC Relay and ATS Banking Fraud Features Uncovered

ByAdmin

A new Android malware known as RatOn has evolved from a basic tool for conducting Near Field Communication (NFC) relay attacks into a sophisticated remote access trojan with Automated Transfer System (ATS) capabilities, enabling device fraud. RatOn combines traditional overlay attacks with automatic money transfers and NFC relay functionality, making it a uniquely powerful threat, according to a report from a Dutch mobile security company. This banking trojan is equipped with account takeover functions that specifically target cryptocurrency wallet applications such as MetaMask, Trust, Blockchain.com, and Phantom. Additionally, it can execute automated money transfers by exploiting the George Česko banking application used in the Czech Republic. The malware is also capable of performing ransomware-like attacks through custom overlay pages and device locking, with variants of the HOOK Android trojan observed using similar extortion tactics.

The first sample of RatOn was detected in the wild on July 5, 2025, with further artifacts identified as recently as August 29, 2025, indicating ongoing development by its operators. RatOn has been distributed via fake Play Store listings masquerading as an adult-friendly version of TikTok (TikTok 18+), targeting Czech and Slovakian-speaking users. Once the dropper app is installed, it requests permission to install applications from third-party sources, thereby bypassing critical security measures imposed by Google. The second-stage payload seeks device administration and accessibility services, along with permissions to read and write contacts and manage system settings. This allows RatOn to download a third-stage malware, NFSkate, which can perform NFC relay attacks using a technique called Ghost Tap. The malware is noted for its unique construction, sharing no code similarities with other Android banking malware, and it can also display ransom notes that falsely accuse users of serious crimes, coercing them into making immediate cryptocurrency payments. 

Categories: Malware Evolution, Cybersecurity Threats, Financial Fraud 

Tags: Android, Malware, RatOn, Trojan, NFC, Cryptocurrency, Overlay, Ransomware, Device Fraud, Security 

Leave a Reply

Your email address will not be published. Required fields are marked *