A Dutch mobile security firm said in a report published today that RatOn has evolved from a basic NFC relay tool into a sophisticated remote access trojan (RAT) with Automated Transfer System (ATS) capabilities
According to ThreatFabric, RatOn now merges traditional overlay attacks with automatic money transfers and NFC relay functionality, creating a uniquely powerful threat profile for Android users.
The banking trojan targets cryptocurrency wallets such as MetaMask, Trust, Blockchain.com and Phantom, and can carry out automated transfers via ATS by abusing a Czech banking app known as George Česko.
In addition to financial theft, RatOn can stage ransomware-like attacks using custom overlay screens and device-locking techniques. A variant of the HOOK Android trojan was also observed to incorporate ransomware-style overlays as part of its operations.
ThreatFabric notes that the first RatOn sample was detected in the wild on July 5, 2025, with new artifacts found as recently as August 29, 2025, indicating ongoing development by the operators.
RatOn has also used fake Play Store listings that masquerade as an adult-friendly version of TikTok (TikTok 18+) to host malicious dropper apps. While how users are lured to these sites remains unclear, researchers said the activity has primarily affected Czech- and Slovak-speaking users.
Once installed, the dropper requests permission to install apps from unknown sources to bypass Google’s security controls around Android’s accessibility services. The second stage then requests device administration and accessibility permissions, along with read/write access to contacts and the ability to modify system settings, to realize its malicious functionality. The actor then downloads a third-stage payload, NFSkate, which supports NFC relay attacks using a technique known as Ghost Tap.
“The account takeover and automated transfer features have shown that the threat actor knows the internals of the targeted applications quite well,” ThreatFabric said, describing RatOn as built from scratch with no code similarities to other Android banking malware.
Threats can also present overlay screens that resemble ransom notes, claiming devices are locked for viewing or distributing child pornography and demanding payment in cryptocurrency within a two-hour window to regain control. If the user complies, the malware can capture the device PIN and extract wallet seed phrases to access accounts.
Notable commands used by RatOn include, but are not limited to:
- send_push, to deliver fake push notifications
- screen_lock, to adjust screen timeout
- WhatsApp, to launch the messaging app
- app_inject, to modify targeted financial apps
- update_device, to enumerate installed apps and fingerprint the device
- send_sms, to send messages via accessibility services
- Facebook, to launch the social app
- nfs, to download and run the NFSkate malware
- transfer, to perform ATS via George Česko
- lock, to lock the device using device administration
- add_contact, to create contacts
- record, to initiate screen casting
- display, to toggle screen casting
The researchers noted the initial targeting focus on the Czech Republic, with Slovakia likely to follow. They also suggested that automated transfers require local banking account numbers, hinting at possible collaboration with local money mules.
Users are advised to avoid sideloading apps and to disable installation from unknown sources. To protect wallet accounts, scrutinize all wallet-app prompts, enable strong authentication where available, and remain vigilant for suspicious overlays or unexpected permissions requests.