A newly identified Android malware, dubbed RatOn, has emerged as a significant threat to mobile security. Initially designed to execute Near Field Communication (NFC) relay attacks, RatOn has evolved into a sophisticated Remote Access Trojan (RAT) equipped with Automated Transfer System (ATS) capabilities, enabling it to perform unauthorized financial transactions directly from infected devices.
Evolution and Capabilities
RatOn represents a convergence of traditional overlay attacks, automated money transfers, and NFC relay functionalities, making it a uniquely potent threat in the cybersecurity landscape. The malware is specifically engineered to target cryptocurrency wallet applications such as MetaMask, Trust, Blockchain.com, and Phantom. Additionally, it exploits the George Česko banking application, widely used in the Czech Republic, to facilitate automated money transfers.
Beyond financial theft, RatOn possesses ransomware-like features. It can display custom overlay pages that lock the device and present extortion messages, coercing victims into paying a ransom to regain access. This tactic mirrors strategies observed in variants of the HOOK Android trojan, which have employed similar overlay screens to display ransom demands.
Discovery and Distribution
The initial detection of RatOn occurred on July 5, 2025, with subsequent samples identified as recently as August 29, 2025. This timeline indicates ongoing development and refinement by its operators. The malware is disseminated through counterfeit Google Play Store pages that masquerade as legitimate applications, such as an adult-oriented version of TikTok (TikTok 18+). The primary targets of this campaign are users in Czech and Slovak-speaking regions.
Infection Mechanism
Upon installation, the malicious dropper app requests permission to install applications from unknown sources, effectively bypassing Android’s built-in security protocols designed to prevent misuse of accessibility services. Once these permissions are granted, the dropper installs a secondary payload that seeks device administration rights and access to accessibility services. It also requests permissions to read and write contacts and manage system settings, thereby enabling its malicious operations.
The secondary payload then downloads a tertiary malware component known as NFSkate, which is capable of executing NFC relay attacks using a method referred to as Ghost Tap. This technique was first documented in November 2024 and involves intercepting and relaying NFC communications to facilitate unauthorized transactions.
Account Takeover and Ransomware Features
RatOn’s developers exhibit a deep understanding of the internal workings of the applications they target. The malware can launch specific cryptocurrency wallet apps, unlock them using stolen PIN codes, navigate through security settings, and ultimately reveal secret recovery phrases. These sensitive data points are captured by a keylogger component and transmitted to an external server controlled by the attackers. With access to these recovery phrases, the attackers can gain unauthorized entry into victims’ cryptocurrency accounts and siphon funds.
In addition to its account takeover capabilities, RatOn can display ransom notes claiming that the user’s device has been locked due to alleged involvement in illegal activities, such as viewing or distributing child pornography. The note demands a payment of $200 in cryptocurrency within a two-hour window to unlock the device. This scare tactic is designed to instill a sense of urgency, prompting victims to access their cryptocurrency wallets immediately, thereby facilitating the theft of PIN codes and other sensitive information.
Mitigation and Recommendations
The emergence of RatOn underscores the evolving sophistication of mobile malware and the increasing risks associated with NFC technology. To mitigate the threat posed by RatOn and similar malware, users are advised to:
– Exercise Caution with App Installations: Only download applications from official and reputable sources. Be wary of apps that request excessive permissions or originate from unknown developers.
– Review App Permissions: Regularly audit the permissions granted to installed applications. Revoke any permissions that seem unnecessary or intrusive.
– Enable Security Features: Utilize built-in security features such as Google Play Protect to scan for and prevent the installation of potentially harmful applications.
– Stay Informed: Keep abreast of the latest cybersecurity threats and trends. Awareness is a critical component of defense against evolving malware tactics.
By adopting these practices, users can enhance their mobile security posture and reduce the risk of falling victim to sophisticated malware like RatOn.
