RatOn Android Malware
A new Android malware called RatOn has quickly evolved from a simple Near Field Communication (NFC) relay tool into a sophisticated remote access trojan (RAT). With its Automated Transfer System (ATS) functionality, overlay attack modules, and ransomware-like features, RatOn is emerging as one of the most versatile threats targeting mobile devices.
Table of Contents
A Unique Combination of Attack Vectors
RatOn stands out because it merges multiple malicious techniques into one framework:
- Overlay attacks to steal credentials.
- Automated money transfers (ATS) to drain banking accounts.
- NFC relay capabilities via the Ghost Tap technique.
This combination makes RatOn highly dangerous compared to typical Android banking trojans.
Targets: Banking and Crypto Apps
The malware is built with account takeover functions that specifically target cryptocurrency wallet apps such as MetaMask, Trust, Blockchain.com, and Phantom. It also exploits George Česko, a banking app popular in the Czech Republic, to automate fraudulent transfers.
Beyond financial theft, RatOn can lock devices and deploy fake ransom screens. These overlays mimic extortion messages, accusing victims of viewing or distributing illegal content, and demand a $200 cryptocurrency payment within two hours. Such coercion tactics not only pressure users but also create opportunities for attackers to capture PIN codes and compromise wallet apps directly.
Active Development and Spreading Tactics
The first RatOn sample appeared on July 5, 2025, with additional versions observed as late as August 29, 2025, indicating ongoing development. Distribution relies on fake Google Play Store listings that impersonate an adult version of TikTok (TikTok 18+). These dropper apps install malicious payloads while requesting permissions to bypass Google’s accessibility safeguards.
After installation, RatOn escalates privileges by requesting device administration rights, accessibility services, and access to contacts and system settings. It then fetches additional malware components, including the previously documented NFSkate malware, which handles NFC relay attacks.
Advanced Account Takeover Capabilities
RatOn demonstrates a deep understanding of its targets. Once active, it can:
- Launch cryptocurrency apps and unlock them using stolen PINs.
- Interact with in-app security settings.
- Extract secret recovery phrases.
This data is logged through a built-in keylogger and sent to attacker-controlled servers, allowing full control over compromised crypto wallets. Notably, RatOn’s codebase shows no overlap with other Android banking malware families, suggesting it was developed from scratch.
Supported Commands and Operations
RatOn supports a wide array of commands that allow attackers to manipulate infected devices extensively. Some of the most notable include:
- send_push – deliver fake push notifications
- app_inject – modify the list of targeted apps
- transfer – execute ATS fraud via George Česko
- nfs – download and run NFSkate malware
- screen_lock – alter device lock timeout
- lock – lock the device remotely
- record/display – control screen casting sessions
- send_sms – send SMS messages through accessibility services
- add_contact – create new contacts
- update_device – exfiltrate device fingerprints and installed app lists
Regional Focus and Threat Actor Strategy
Researchers note that RatOn activity is currently concentrated in the Czech Republic, with Slovakia likely to be the next target. The decision to focus on a single regional banking application remains unclear. However, automated transfers requiring local account numbers suggest cooperation with local money mule networks.
