A New and Dangerous Banking Trojan: RatOn Fuses RAT and NFC Attacks
ThreatFabric analysts have reported the emergence of a new and highly sophisticated banking trojan named RatOn, which fuses the capabilities of a traditional Android malware strain with advanced remote-access features and targeted attacks on payment applications.
Unlike most mobile trojans, RatOn integrates multiple attack vectors: overlaying fake screens on legitimate services, automating transfers within banking applications, and exploiting NFC relay mechanisms to steal card data. This combination makes it an exceptionally dangerous tool—capable not only of covert device control but also of directly siphoning funds.
According to ThreatFabric, RatOn is linked to the NFSkate group, previously known for developing tools to exploit contactless payments. The first samples of the trojan were identified in July 2025, with observed activity continuing through late August. During this campaign, attackers registered adult-content websites that hosted a downloader disguised as a third-party installer, prompting users to enable installation from unknown sources.
Once granted access, the downloader opened a page with an installation button triggering the hidden installApk function. This process delivered a secondary component to the victim’s smartphone, which then requested device administrator rights and access to Android accessibility services. With these privileges, RatOn gained complete control over the display, bypassed system dialogs, and confirmed permissions autonomously. From there, it could download a third module—NFSkate malware designed specifically for NFC-based attacks.
The core of RatOn’s functionality revolves around the Accessibility API. It can analyze the current interface state and relay it to its operators, simulate taps, input PIN codes, and alter system settings.
For fraudulent financial operations, the malware employs two primary techniques: overlaying fake forms and executing Automated Transaction System (ATS) attacks within banking apps. In the latter case, RatOn receives transfer details from its operators and systematically navigates the interface—from initiating the payment to confirming it with a previously stolen PIN. The trojan is also able to check and adjust transfer limits, suggesting that attackers are supported by an established money mule infrastructure.
Special emphasis has been placed on cryptocurrency wallets. RatOn supports MetaMask, Trust Wallet, Blockchain.com, and Phantom. Once instructed, it automatically launches the wallet, inputs stored credentials, accesses security settings, and extracts the mnemonic recovery phrase. A built-in keylogger captures this data and exfiltrates it to the command-and-control server. Notably, the trojan’s operator interfaces are localized into English, Russian, Czech, and Slovak, signaling a broader target audience.
The command set available to operators is remarkably extensive: launching WhatsApp and Facebook, altering clipboard content, sending SMS messages, adjusting screen brightness, or locking the device. It also supports real-time screen streaming, effectively transforming RatOn into a full-fledged remote administration tool (RAT) for compromised smartphones. Ransomware-like features, such as device locking and extortion messages, are present but considered secondary to the trojan’s automated financial theft capabilities.
Technical analysis revealed that RatOn’s codebase was written entirely from scratch, sharing no fragments with other known malware families. This underscores the significant investment by NFSkate in building its proprietary toolkit. Initially, the campaign targeted users in the Czech Republic, but the multilingual support and integration with global cryptocurrency platforms strongly suggest ambitions for worldwide expansion.
Experts warn that the advent of RatOn marks a sharp escalation in mobile banking threats: the convergence of RAT capabilities, NFC relays, and ATS automation effectively creates a universal weapon in the arsenal of cybercriminals.
Support Our Threat Intelligence
If you find our technology report and cybersecurity news helpful, consider supporting our work.
Buy Me a Coffee
PayPal
