"A new Android malware called RatOn evolved from a basic tool capable of conducting Near Field Communication ( NFC) attacks to a sophisticated remote access trojan with Automated Transfer System ( ATS) capabilities to conduct device fraud. "RatOn merges traditional overlay attacks with automatic money transfers and NFC relay functionality - making it a uniquely powerful threat," the Dutch mobile security company said in a report published today. The banking trojan comes fitted with account takeover functions targeting cryptocurrency wallet applications like MetaMask, Trust, Blockchain.com, and Phantom, while also capable of carrying out automated money transfers abusing George Česko, a bank application used in the Czech Republic."
"Furthermore, it can perform ransomware-like attacks using custom overlay pages and device locking. It's worth noting that a variant of the HOOK Android trojan was also observed incorporating ransomware-style overlay screens to display extortion messages. The first sample distributing RatOn was detected in the wild on July 5, 2025, with more artifacts discovered as recently as August 29, 2025, indicating active development work on the part of the operators."
"RatOn has leveraged fake Play Store listing pages masquerading as an adult-friendly version of TikTok (TikTok 18+) to host malicious dropper apps that deliver the trojan. It's currently not clear how users are lured to these sites, but the activity has singled out Czech and Slovakian-speaking users. Once the dropper app is installed, it requests permission from the user to install applications from third-party sources so as to bypass critical security measures imposed by Google to prevent abuse of Android's accessibility services."
RatOn is an Android remote access trojan evolved from an NFC attack tool and now includes Automated Transfer System (ATS) capabilities for device fraud. It targets cryptocurrency wallet apps such as MetaMask, Trust, Blockchain.com, and Phantom and can automate transfers via the George Česko banking app. It combines overlay attacks, NFC relay functionality, and ransomware-like device locking using custom overlay pages. Distribution leverages fake Play Store listings (TikTok 18+) that host dropper apps which request installation from unknown sources. Droppers then request device administration, accessibility, contacts, and system settings permissions to enable account takeover and automated funds transfer. Active samples were observed July–August 2025 targeting Czech and Slovak users.
Read at The Hacker News
Unable to calculate read time
Collection
[
|
...
]