Cybersecurity
A new Android banking trojan, named RatOn, combines traditional overlay attacks with NFC relay tactics to compromise bank accounts and initiate automated money transfers. Developed from scratch by a threat actor group active since July 2025, RatOn represents a significant evolution in mobile fraud capabilities.
Technical Overview
RatOn integrates an Automated Transfer System (ATS), enabling it to autonomously move funds through a targeted bank’s application interface. The initial access vector involves malicious domains themed around adult content, which host a dropper APK. Victims who install from unknown sources are served a WebView-based installer, triggering the download and side-loading of the second-stage payload.
Once installed, the payload prompts for Accessibility service and Device Administrator privileges to automate UI interactions without user awareness. With Accessibility access, RatOn can:
- Monitor the foreground app and relay pseudo-screen or full screen casts to its command server.
- Automatically accept critical permissions for contacts and system settings.
- Launch and control NFSkate NFC relay malware, enabling physical proximity attacks against contactless payment cards.
RatOn’s command set includes live screen streaming, push-notification spoofing, device locking, and clipboard manipulation.
Global Cryptocurrency Theft
RatOn’s ATS module demonstrates a deep understanding of the target bank’s UI workflow, manipulating transaction limits and completing payment steps using stolen PIN codes. Funds are routed to mule accounts, indicating potential collaboration with local operatives in the Czech Republic and Slovakia.
Beyond fiat transfers, RatOn targets major cryptocurrency wallets, extracting secret recovery phrases through UI automation. The following table summarizes its capabilities:
| Wallet Application | Package Name | Language Support |
|---|---|---|
| MetaMask | io.metamask | English, Russian, Czech, Slovak |
| Trust: Crypto & Bitcoin Wallet | com.wallet.crypto.trustapp | English, Russian, Czech, Slovak |
| Blockchain.com | piuk.blockchain.android | English, Russian, Czech, Slovak |
| Phantom | app.phantom | English, Russian, Czech, Slovak |
Mitigations
RatOn’s combination of NFC relay functionality, RAT features, overlay tactics, and automated transfers marks a new chapter in mobile malware sophistication. Security measures should include:
- Enforcing strict installation policies blocking unknown sources.
- Monitoring Accessibility and Device Administrator grant requests.
- Employing behavioral analysis to detect anomalous UI automation in banking and wallet apps.
- Educating users on the risks of phishing domains.
Collaboration between financial institutions, mobile OS vendors, and security researchers is crucial to disrupt emerging attack chains like RatOn.
-
Expense Apps Add Budgeting for Irregular Incomes
In an era where the gig economy is burgeoning, traditional budgeting methods ... -
-
-
