Ethical Hacking News
RatOn, a new strain of Android malware, has been discovered with sophisticated capabilities for Automated Transfer System (ATS) banking fraud and NFC relay attacks. This malicious software targets cryptocurrency wallet applications and can steal sensitive data by exfiltrating it to an external server under the control of the threat actors.
RatOn is a sophisticated Android malware that has evolved from an NFC relay tool to a remote access trojan (RAT) with capabilities for Automated Transfer System (ATS) banking fraud. The malware targets cryptocurrency wallet applications and can perform NFC relay attacks using the Ghost Tap technique. RatOn was first detected in the wild on July 5, 2025, but active development work by operators was discovered later. The primary vector for distributing RatOn is through fake Play Store listing pages masquerading as an adult-friendly version of TikTok. Once installed, RatOn requests permissions to bypass critical security measures and downloads a third-stage malware called NFSkate. RatOn can perform account takeover and automated transfers, and serves overlay screens claiming that users' phones have been locked for viewing child pornography. The malware exfiltrates sensitive data recorded by a keylogger component to an external server under the control of the threat actors. Notable commands processed by RatOn include sending fake push notifications, changing device lock screen timeout, and performing automated transfers using ATS.
In a recent discovery, researchers at ThreatFabric have identified a new strain of Android malware dubbed RatOn, which has evolved from a basic Near Field Communication (NFC) relay tool to a sophisticated remote access trojan (RAT) with capabilities for Automated Transfer System (ATS) banking fraud. This malicious software has been found to target cryptocurrency wallet applications and can perform NFC relay attacks using a technique called Ghost Tap.
The RatOn malware was first detected in the wild on July 5, 2025, but it wasn't until August 29, 2025, that more artifacts were discovered, indicating active development work by the operators. This sophisticated malware has been designed to bypass critical security measures imposed by Google to prevent abuse of Android's accessibility services.
The primary vector for distributing RatOn is through fake Play Store listing pages masquerading as an adult-friendly version of TikTok (TikTok 18+), which host malicious dropper apps that deliver the trojan. It is not clear how users are lured to these sites, but the activity has singled out Czech and Slovakian-speaking users.
Once the dropper app is installed, it requests permission from the user to install applications from third-party sources so as to bypass critical security measures imposed by Google to prevent abuse of Android's accessibility services. The second-stage payload then proceeds to request device administration and accessibility services, as well as permissions to read/write contacts and manage system settings to realize its malicious functionality.
This includes granting itself additional permissions as required and downloading a third-stage malware, which is nothing but the NFSkate malware that can perform NFC relay attacks using a technique called Ghost Tap. The malware family was first documented in November 2024.
The account takeover and automated transfer features have shown that the threat actor knows the internals of the targeted applications quite well, building the malware from scratch and sharing no code similarities with other Android banking malware. RatOn can also serve overlay screens that resemble a ransom note, claiming that users' phones have been locked for viewing and distributing child pornography and that they need to pay $200 in cryptocurrency to regain access in two hours.
It is suspected that the ransom notes are designed to induce a false sense of urgency and coerce the victim into opening the cryptocurrency apps, making the transaction immediately, and enabling the attackers to capture the device PIN code in the process. Upon corresponding command, RatOn can launch the targeted cryptocurrency wallet app, unlock it using stolen PIN code, click on interface elements which are related to security settings of the app, and on the final step, reveal secret phrases.
The sensitive data is subsequently recorded by a keylogger component and exfiltrated to an external server under the control of the threat actors, who can then use the seed phrases to obtain unauthorized access to the victims' accounts and steal cryptocurrency assets.
Some notable commands that are processed by RatOn include:
- send_push, to send fake push notifications
- screen_lock, to change the device lock screen timeout to a specified value
- WhatsApp, to launch WhatsApp
- app_inject, to change the list of targeted financial applications
- update_device, to send a list of installed apps with device fingerprint
- send_sms, to send a SMS message using accessibility services
- Facebook, to launch Facebook
- nfs, to download and run the NFSkate APK malware
- transfer, perform ATS using George Česko
- lock, to lock the device using device administration access
- add_contact, to create a new contact using a specified name and phone number
- record, to launch a screen casting session
- display, to turn on/off screen casting
The threat actor group initially targeted the Czech Republic, with Slovakia likely being the next country of focus. The reason behind concentrating on a single banking application remains unclear, but the fact that automated transfers require local banking account numbers suggests that the threat actors may be collaborating with local money mules.
In conclusion, RatOn represents a sophisticated and evolving threat to Android users, particularly those in Europe who are targeted by this malicious software. As the threat landscape continues to evolve, it is essential for users to remain vigilant and take necessary precautions to protect their devices from such attacks.
Related Information:
https://www.ethicalhackingnews.com/articles/RatOn-Android-Malware-A-Sophisticated-Banking-Trojan-with-NFC-Relay-Capabilities-ehn.shtml
https://thehackernews.com/2025/09/raton-android-malware-detected-with-nfc.html
Published: Tue Sep 9 08:38:30 2025 by llama3.2 3B Q4_K_M
