Security researchers at ThreatFabric MTI have uncovered a sophisticated new Android banking trojan, dubbed RatOn, which merges classic overlay and NFC relay tactics with full remote access and Automated Transfer System (ATS) capabilities.
Emerging on July 5, 2025, and evolving through August 29, 2025, RatOn represents the first known integration of NFC relay attacks into a Remote Access Trojan framework delivering low-latency, text-based control alongside traditional screen casting for rapid operator-driven fraud.
Multi-Stage Infection and RAT Features
The attack chain begins when victims download a malicious dropper APK from Czech and Slovak adult-themed domains masquerading as third-party app installers.
Once sideloaded, the dropper loads a WebView interface that invokes its installApk API, seamlessly installing a second-stage payload.
This payload immediately prompts users via another WebView to grant Accessibility Service and Device Admin privileges. With these permissions, RatOn auto-accepts additional requests for contacts and system settings access, then operates stealthily in the background.
Leveraging Accessibility APIs, RatOn continually monitors the device’s foreground state, sending both full screenshots and bandwidth-efficient text-based “pseudo-screen” descriptions of UI elements to its control server.
Operators can issue over 50 JSON-driven commands such as display to toggle screen casting, txt_screen for one-time text snapshots, and record for live stream permissions enabling real-time interaction without resource-heavy graphic streaming.
RatOn’s overlay module supports loading remote HTML templates or rendering raw HTML via WebView. Researchers recovered one template styled as a ransom note in Czech and English, likely designed to coerce cryptocurrency users into revealing PINs.
On demand, a third-stage payload, NFSkate, can be dropped or downloaded to carry out NFC relay attacks against contactless payment cards, turning infected devices into active relays for unauthorized transactions.
Automated Transfers and Crypto Exploits
RatOn’s standout ATS feature targets the Czech bank George Česko. Upon receiving a transfer command containing recipient JSON details, the trojan launches the bank’s app and navigates its UI by matching localized labels (“Nová platba,” “Domácí číslo účtu,” “Odeslat”) or tapping hardcoded coordinates.
It populates recipient fields, checks, and adjusts transaction limits via check_limit and limit commands, and inputs previously intercepted PIN codes to finalize transfers—all autonomously.
In addition to traditional banking fraud, RatOn exploits major cryptocurrency wallets—MetaMask, Trust Wallet, Blockchain.com, and Phantom.
Employing Accessibility-driven automation, it unlocks wallets with stolen PINs, navigates to security settings, and extracts recovery phrases for exfiltration. Multi-language support (English, Russian, Czech, Slovak) ensures a broad international reach and effectiveness.
By fusing NFC relay techniques, text-based RAT control, overlay extortion, and ATS capabilities, RatOn emerges as a groundbreaking mobile malware with dual-pronged objectives: localized large-scale theft via money mules and global cryptocurrency compromise.
Organizations should monitor for anomalous Accessibility and WebView behaviors and enforce robust multi-factor authentication to defend against this advanced threat.
Indicators of Compromise
Control server domains:
- marvelcore[.]top
- evillab[.]world
- www-core[.]top
- tiktok18[.]world
- evillab[.]world
SHA256 file hashes:
- bf82609c55304c468996244d3ecc16348d9bea0891482ca724ffefcfaded8b66
- bba15ecc8404698530761a122d3f03310b5e775f2e1552b645135fefd27e625c
- 98c711801e9b89b4d0b4fb6c6fc5e8310ef3da226c7ac7261f04505384cd488a
- 98e09a8f01980d11177549eea9598ffd573e1be355a05ef7d31b85c6be9a38ce
- bbc7f2b5c17f90e4c054bc525d85cb96a791a9fe8c8295894fac50a9722fc908
Find this Story Interesting! Follow us on Google News , LinkedIn and X to Get More Instant Updates
