The RatOn Android Trojan has landed on the cybersecurity radar for combining several techniques rarely seen together on mobile devices. In a matter of weeks, it has evolved from a tool focused on NFC relaying to a remote access Trojan with automated transfers, overlays, and ransomware-like functions, something that is especially worrying on mobile devices. It leaves users exposed to theft of money and loss of control of the device., that's why it's convenient to use apps to improve security.
According to analyses published by specialists, RatOn was developed from scratch, without inheriting code from known families. This characteristic complicates its initial detection and explains why, despite its youth, it is already attributed with a high damage potential. The first firm signs of its campaign appeared in early July 2025, and new artifacts were detected in late August of that same year, confirming that the attackers continue to refine their capabilities and keep the project alive and evolving.
What is the RatOn Trojan and why is it different?
RatOn is an Android banking Trojan that is a RAT, a malicious software that allows attackers to remotely control the victim's phone. What's new is not just the control itself, but the combination of advanced techniques in a single package: screen overlay attacks, an automated transfer system, NFC relaying, device locking for extortion purposes, and keylogging capabilities. All of this is orchestrated with a wide list of commands that give it the flexibility to act in different ways. depending on the attacker's goals and the victim's environment.
Analysts note that no significant code similarities with other mobile banking Trojans have been found. This suggests a proprietary development, which, beyond the technical issue, also has detection implications, since Security engines cannot rely on previous signatures to easily block it..
How it's distributed: attractive lures and fake pages
The observed campaign has used domains that mimic the official store experience and hooks with adult content. The main claim detected is a supposed app called TikTok18+, apparently designed for Android and aimed at attracting Czech and Slovak-speaking users. After convincing the victim, the fake pages ask them to install the package from external sources, opening the door to the infection chain and thus bypassing Google's usual protections.
The channel through which users reach these domains has not been fully clarified, but it's reasonable to think of common social engineering techniques such as deceptive ads, messages promising exclusive content, and links planted on dubious sites. The key is that, once the installer has been downloaded, the rest of the process becomes much more difficult for an average user to stop. because the actions being requested may seem normal to you.
Infection chain in stages: from dropper to advanced payload
The infection starts with a malicious installer, a dropper that requests permission to install applications from unknown sources. This first step, which may seem innocuous to some, is actually the trigger that allows the real malware to land on the device. The process then requests critical permissions: Accessibility service, administrator privileges, reading and writing contacts, and the ability to manage system settings. With this set of permissions, the attacker can operate freely, modify settings, grant new permissions to your modules and remain persistent.
In a second stage, the main payload is deployed, enabling remote control and advanced banking capabilities. In a third phase, a specialized NFC relay component called NFSkate, also known as NGate, is downloaded. This module is a variant based on a legitimate research tool known as NFCGate, which in malicious hands can remotely relay payment data. The related technique, dubbed Ghost Tap, was documented by ESET in August 2024, and RatOn integrates it as part of its arsenal. expand its reach beyond simple credential capture.
How NFC Relay Works to Enable Fraud
NFC relaying involves using two devices to trick a payment terminal. One, close to the victim, captures the contactless payment card details; the other, located where the scammer is physically present, relays that data to a POS terminal to complete the transaction. The RatOn Trojan, with its dedicated module, allows an infected phone to act as a capturer, allowing the attacker to receive the information in real time and use it to make remote charges. In practical terms, this means that the compromised phone can be the gateway that enables the scam without the victim even noticing. especially if the device is unlocked and NFC is active at critical moments.
Overlays, ATS, and financial app takeovers
RatOn is a master of overlay attacks, placing fake screens over legitimate applications. This approach allows the interface of a banking or payment app to be cloned to capture PINs, passwords, and verification codes. Thanks to the accessibility service and administrative privileges, the malware can interact with interface elements, press buttons, confirm operations, and navigate menus as if it were the user. making the victim believe they are in the real app.
Its ATS (Automated Transfer System) function stands out for its ability to recognize financial app flows and enter stolen information to complete money transfers. Specific automations have been observed against George ÄŒesko, a popular banking app in the Czech Republic, which explains part of the campaign's geographic focus. This automation reduces the time required to empty accounts and, combined with credential theft, allows operations with little intervention from the victim.
Account takeovers aren't limited to traditional banking. The RatOn Trojan also targets popular cryptocurrency wallets such as MetaMask, Trust Wallet, Blockchain dot com, and Phantom. Once the malware obtains the PIN or recovery phrase, it's able to open the app, unlock it, navigate to the security sections, and extract the secret phrases, thus enabling asset theft. This multi-wallet and multi-language capability suggests a clear intention to expand into new markets. taking advantage of the limited traceability of certain cryptoassets.
Ransomware behaviors and psychological extortion
In addition to theft and control, RatOn includes features to lock the device and display overlay pages with ransom messages. In some cases, the fake screens accuse the victim of viewing or distributing illegal material and demand a payment of $200 in cryptocurrency within two hours to regain access. Beyond the threat, what's significant is the real objective: to pressure the person into opening a specific cryptocurrency app and completing a transfer, at which point the malware records the PIN and obtains the account keys. thus achieving the kidnapping without the victim suspecting it.
Other families, such as a variant of the HOOK Trojan for Android, have been observed incorporating ransomware-like overlay screens, reinforcing the idea that these psychological pressure techniques are becoming standard in mobile cybercrime. RatOn employs this same approach to achieve rapid monetization and confuse users about what is actually happening on their device. multiplying the chances of fraud success.
List of observed commands and what they are used for
One of the strengths of the RatOn Trojan is its list of remote commands, which facilitate remote control. The identified commands include the following, which illustrate its scope and operational versatility: from impersonation to terminal blocking:
- send_push: Sends fake push notifications to the user.
- screen_lock: Adjusts the lock screen timeout.
- WhatsApp: Launches the application to interact with or spy on communication streams.
- app_inject: Modifies the list of target financial applications for overlays.
- update_device: Sends the list of installed apps and device data.
- send_sms: Send SMS using the accessibility service.
- Facebook: Open the app for fraud or data capture purposes.
- nfs: Download and run the NFSkate APK for NFC streaming.
- transfer: Run ATS against flows like George ÄŒesko's.
- block: Lock the device using administrative privileges.
- add_contact: creates new contacts in the victim's address book.
- Record: Start a streaming or screen recording session.
- screen: Enables or disables screencasting when commanded by the attacker.
Additionally, researchers point to actions such as simulating a click on the Home button, modifying the clipboard, or sending the screen status in real time, which complement its keylogging functions. With this repertoire, the attacker can execute complete fraud chains without raising suspicion. automating steps that in other Trojans required manual intervention.
Scope, chronology and actors behind the campaign
Evidence suggests that the activity primarily affects users in Central Europe, with the greatest impact in the Czech Republic and Slovakia. The first samples linked to RatOn date back to July 5, 2025, with new samples identified on August 29, 2025, indicating continued development. Technical attribution points to a group known as NFSkate, which allegedly hosted the malicious applications on multiple domains with highly targeted lures. aimed at specific audiences and with local languages.
Reports published by specialized mobile security firms have been key to documenting the emergence of RatOn, as well as detailing its modular nature and evolution from an NFC relay tool to a fully automated banking Trojan. The fact that it was created from scratch distinguishes it from clones or opportunistic variants. adding complexity to its study and neutralization.
Indicators and warning signs for the user
Several behaviors may suggest the presence of RatOn or a similar Trojan. For example, persistent requests to grant accessibility permissions, read and write contacts, manage the device, and control system settings. Also suspicious are changes to the screen lock time without user intervention, the appearance of unexpected push notifications, and the overlay of screens requesting sensitive credentials. especially if they are displayed on banking or cryptocurrency apps.
If you detect recently installed apps outside the official store or if your device frequently prompts you to install them from unknown sources, you should be extremely cautious. Another red flag is the presence of pages that mimic the Google store and promise modified versions of popular services with adult content, as these are common distribution channels in these campaigns. that appeal to curiosity to force impulsive discharges.
What to do if you suspect an infection on your phone?
If you suspect an infection, there are concrete steps you can take to reduce the damage. Below is a basic protocol, based on professional recommendations, that can help you cut off communication with the attackers and regain control of your device. keeping your accounts and personal data safe:
- Disconnect from the internet: Disables mobile data and Wi-Fi to prevent malware from communicating with your server.
- Do not interact with suspicious messages or prompts- Avoid clicking on links or opening APK attachments.
- Remove suspicious permissions: Review administrator and accessibility access in Settings and revoke them without following external instructions.
- Boot into safe mode: This prevents third-party apps from running on startup.
- Scan with reputable antimalware: Use Play Protect or known mobile security solutions.
- Uninstall unknown or recent apps: from Settings in the Applications section; if it doesn't let you, seek professional help.
- Change passwords and activate 2FA: Do this from another clean device, starting with email, banking, and wallets.
- Backup and factory reset: If the signs persist, evaluate make backup and restore the terminal to factory settings.
- Contact your bank: Block accounts or cards if you detect irregular access or unauthorized transfers.
- Ask for professional support: essential if it is a company phone or contains sensitive information.
Good practices to reduce risk
Prevention is better than cure, and in the mobile world, that means being careful about where you install apps and what permissions you grant. Always prioritize downloading apps from official stores like Google Play, be wary of unknown domains, and avoid links that promise special versions of popular apps. Before accepting any permission, consider whether it makes sense for the app's purpose, and avoid granting administrator privileges or accessibility to unverified tools at all costs. because they are the favorite shortcut for Trojans to take over your phone. Also consider encrypt your mobile to add another layer of protection.
If you notice unusual behavior, act quickly. A timely factory reset and an immediate call to your financial institution can make the difference between a scare and a serious problem. And if you manage business environments, consider specialized cybersecurity services, as these threats evolve rapidly and require proactive defenses. anti-fraud controls and continuous monitoring.
Context, references and other related threats
Public documentation on the RatOn Trojan attributes the research to mobile security firms and details that the NFSkate group would have hosted the artifacts on domains with lures such as TikTok18+. References are included to the Ghost Tap technique described by ESET in 2024 and the presence of ransomware-like screens already seen in HOOK variants, which fits with the recent evolution of mobile fraud, where overlays are combined with high-level automations. It also helps to understand why security patches and vulnerability management are relevant against these threats, as explained in articles on security patch.
Some articles mention other pieces of the landscape, such as Crocodilus, a growing banking malware, and content exploring the observability of banking databases as part of the digital transformation. Although these are not directly part of RatOn, they help explain why the financial sector is a priority target and why advanced monitoring is key to combating attacks of this type. especially when the enemy can take control of the client's device.
Additional notes observed in the sources
Datelines and credits such as Madrid 12 Sep Portaltic slash EP have been seen, as well as mentions of photographic resources such as Mouse Resource on Unsplash, Frenjamin Benklin. This doesn't affect the technical analysis, but indicates that the story has jumped to mainstream media with broad coverage. unequivocal sign that the issue is of concern due to its potential impact.
Capacity for evolution and future risk
The fact that RatOn has quickly transitioned from NFC relaying to ATS and overlays suggests that the actors behind the project have mastered the inner workings of the attacked apps. Technical comments point to detailed knowledge of banking and cryptocurrency interfaces, including navigating to security sections to exfiltrate seed phrases. With its own codebase and modular architecture, it wouldn't be surprising to see new modules or attack verticals join soon. including the expansion of target languages ​​and banks.
Where there are more users, there are more incentives for cybercrime to innovate, and mobile, with its combination of banking, communications, and nearby payments, concentrates a volume of data and transactions that is irresistible to attackers. That's why, at both the individual and corporate levels, it's so important to harden the attack surface with least-trust practices and user training. to cut off social engineering before the infection chain begins.
Specialized services and support
In today's ecosystem, many companies seek expert support to reduce operational risk against threats like RatOn. There are vendors that offer deployments and proactive monitoring, or even apps like Prey to strengthen your Android to detect abnormal behavior, harden devices, and protect transactions, helping you mitigate losses and respond quickly.
Among the companies mentioned in some articles is E dea as an actor proposing solutions, an example of how the sector has reacted to this type of mobile Trojans and how layered defenses can be articulated.
It's also worth remembering that, although the focus is often on malware, the exposure footprint is closely tied to everyday habits. Avoiding installations from unknown sources, avoiding claims of adult content or supposedly improved versions of popular apps, and paying attention to permissions are simple but effective barriers.
Lies about the RatOn Trojan
In the same media ecosystem, news of scams and viral phenomena have circulated that have no technical relation to RatOn, such as the so-called like scam or visual curiosities of iOS interfaces, which show to what extent social claims can direct traffic to where the attacker wants and feed impulsive discharges.
RatOn has demonstrated that the mobile phone can be the perfect bridge between social engineering, credential theft, NFC retransmission, and complete transfer automation. Add to this the ability to lock the device and use ransomware, and the mix is ​​delicate. The sensible thing to do is to strengthen security habits, stay alert to permissions and installation sources, and have a response plan in place.
With a combination of user caution, technical controls, and, where appropriate, professional support, the chances of falling into the trap are reduced and the ability to react is significantly improved. Share the information so more people know about the RatOn Trojan and what to do to avoid it..