09.09.2025
2 min
511
A new Android Trojan, RatOn, has been discovered by researchers, combining NFC relay attacks, automated money transfers (ATS), and remote access features, making it one of the most dangerous mobile threats of 2025.
According to ThreatFabric, RatOn began spreading on July 5, 2025, via fake Google Play pages masquerading as the TikTok 18+ app. The Trojan gradually installs several stages of malicious code: from a dropper to an NFSkate module capable of performing Ghost Tap NFC relay attacks.
RatOn’s functionality includes:
crypto wallet data theft (MetaMask, Trust, Blockchain.com, Phantom);
automated transfers via the George Česko banking app;
ransomware-like overlays with device locking;
PIN and seed-phrase theft with subsequent asset theft;
command set for sending SMS, creating contacts, launching WhatsApp and Facebook, screencasting and screen locking.
The victims are mainly users from the Czech Republic and Slovakia. The malware is actively developing: the latest samples appeared at the end of August 2025.
Experts note that RatOn is built from scratch and has no similarities to other banking Trojans, although certain functions are similar to HOOK. The threat confirms the trend of recent years: classic banking malware is combined with ransomware mechanics, and also focuses on cryptocurrency services. Possible cooperation of RatOn operators with local “money mules” explains the narrow focus on regional banks.
RatOn demonstrates how quickly the ecosystem of mobile threats is developing. The combination of attacks on banks, crypto wallets, and the use of social engineering makes this Trojan a universal weapon for cybercriminals. The only protection for users is to avoid third-party application sources, refuse suspicious permissions, and update devices in a timely manner.
SEO-text
The new Android Trojan RatOn combines NFC-relay attacks, automated bank transfers, and theft of crypto wallet data, spreading through fake TikTok 18+ apps. The threat targets users in the Czech Republic and Slovakia and is capable of blocking devices, stealing PIN codes, seed phrases, and funds, making RatOn one of the most dangerous mobile malware of 2025.
