- RatOn is a rare Android trojan combining NFC relay, overlay attacks, and automated money transfers
- It targets banking apps and crypto wallets, stealing PINs and recovery phrases
- Spread via fake TikTok apps, it mainly targets users in Czechia and Slovakia
Security researchers have uncovered a rare strain of Android malware with capabilities that were “virtually unheard of” – until now.
Earlier this week, Threat Fabric published an in-depth report on RatOn, a Remote Access Trojan (RAT) with NFC relay capabilities.
An NFC relay attack is when criminals use two devices to trick a payment terminal into thinking a real card or phone is present, even though it’s somewhere else. One device (an infected one) reads the victim’s card data and instantly sends it to another device that makes the payment on their behalf.
RatOn Malware
“Instances where a trojan evolves from a basic NFC relay tool into a sophisticated RAT with Automated Transfer System (ATS) capabilities are virtually unheard of,” Threat Fabric said. “That’s why the discovery of the new trojan RatOn by ThreatFabric MTI analysts is particularly noteworthy. RatOn merges traditional overlay attacks with automatic money transfers and NFC relay functionality—making it a uniquely powerful threat.”
RatOn was first assembled in early July 2025, with the latest version popping up on August 29, meaning it is in active development. It primarily serves as an Android banking trojan, taking over devices and accounts. It also targets cryptocurrency wallets such as MetaMask, Trust Wallet, Blockchain.com, or Phantom, and can steal PINs and recovery phrases.
The malware also uses overlays to trick users and lock devices, and performs automated money transfer using the George Česko banking app. Since George Česko is a mobile banking app in Czechia, the researchers concluded that the attackers are targeting, first and foremost, individuals in Czechia and Slovakia.
The malware is being distributed via spoofed Google Play Store pages. They were set up to show an adult version of the TikTok app which hosted a malware dropper.
Once installed, the dropper asks for certain permissions from the victim, including one that allows it to download apps from third-party sources. If granted, it will deploy second-stage payload, and ask for additional permissions, including the dreaded Accessibility Services.
Via The Hacker News
