Ddos 
ThreatFabric has uncovered RatOn, a newly developed Android banking trojan that merges traditional overlay fraud with NFC relay attacks, automated money transfers, and cryptocurrency wallet theft. This marks one of the most sophisticated evolutions of mobile malware to date.
The ThreatFabric Mobile Threat Intelligence (MTI) team discovered RatOn while monitoring the NFSkate threat actor group. Analysts describe the finding as exceptional: βWhile the concept of combining a RAT with an NFC relay attack isnβt entirely new, documented cases are rare. Instances where a trojan evolves from a basic NFC relay tool into a sophisticated RAT with Automated Transfer System (ATS) capabilities are virtually unheard of. Thatβs why the discovery of the new trojan RatOnβ¦ is particularly noteworthy.β
The first known RatOn samples date back to July 5, 2025, with continuous development observed through August 29, 2025. Some variants still show low detection rates on VirusTotal, indicating ongoing stealth testing.
RatOn employs a multi-stage delivery process. Initial access begins with adult-themed domains containing βTikTok18+β in their names, which distribute a malicious dropper app targeting Czech and Slovak users.
ThreatFabric explains: βThe dropperβ¦ will request the permission from the victim to install applications from third party sources. This step is needed to overcome Android restrictions for third party applications to abuse Accessibility services.β
The dropper installs a second-stage payload that immediately seeks Accessibility Service and Device Admin privileges, granting full control. From there, a third payloadβNFSkate malwareβcan be deployed, enabling NFC relay attacks against victimsβ banking cards.
Like many Android bankers, RatOn supports overlay attacks to trick users into revealing credentials or paying ransom. Two methods exist: loading overlays from attacker-hosted URLs or injecting HTML chunks.
ThreatFabric obtained one template: βWe were able to obtain one of such templates (Czech and English language were supported) and it looked like a ransom note.β These overlays can be used to harvest PINs from cryptocurrency apps or demand immediate payments.
RatOn demonstrates advanced Automated Transfer System (ATS) functionality. ThreatFabric observed the malware auto-navigating a Czech banking app: βThe trojan will launch bank application and initiate payment by auto clicking on application interface elements one by oneβ¦ Itβs important to note that on one of the last steps the trojan will automatically type in the digital PIN code to confirm the transaction.β
The focus on Czech accounts suggests local mule networks, as transactions rely on domestic banking account numbers.
Beyond banks, RatOn directly targets crypto wallets, including MetaMask, Trust Wallet, Blockchain.com, and Phantom. The trojan can auto-type PINs, navigate to recovery settings, and exfiltrate seed phrases.
ThreatFabric notes: βRatOn can launch the targeted cryptocurrency wallet app, unlock it using stolen PIN codeβ¦ and on the final step, reveal secret phrases. The keylogger component will record revealed data and will send it to control server.β
This enables full wallet takeover on attacker-controlled devices.
RatOn supports an extensive list of commands, including: fake push notifications, live screen sharing, SMS sending, overlay injection, app targeting, contact creation, device locking, and even forced password resets. It also integrates with NFSkate for NFC relay attacks, cementing its hybrid nature.
RatOn represents the cutting edge of mobile banking and cryptocurrency malware. By blending RAT capabilities, overlay fraud, ATS automation, and NFC relay attacks, it poses a serious threat not only to European banks but to global cryptocurrency users.
With development still active, ThreatFabric warns that RatOn may soon expand beyond Czech and Slovak targets, potentially sparking large-scale mobile fraud campaigns across Europe and beyond.
Related Posts:
- MostereRAT: The New RAT That Is Bypassing Antivirus and EDR Solutions
- Salat Stealer: A New Go-Based MaaS Is Hijacking Browsers and Crypto Wallets
- Malicious npm Packages Impersonate Flashbots SDKs to Steal Ethereum Wallet Credentials
Support Our Threat Intelligence
If you find our CVE report and cybersecurity news helpful, consider supporting our work.
Buy Me a Coffee
PayPal
