New Android RAT uses Near Field Communication to automatically steal money from devices

(Image credit: wk1003mike / Shutterstock)

RatOn is a rare Android trojan combining NFC relay, overlay attacks, and automated money transfers
It targets banking apps and crypto wallets, stealing PINs and recovery phrases
Spread via fake TikTok apps, it mainly targets users in Czechia and Slovakia

Security researchers have uncovered a rare strain of Android malware with capabilities that were “virtually unheard of” - until now.

Earlier this week, Threat Fabric published an in-depth report on RatOn, a Remote Access Trojan (RAT) with NFC relay capabilities.

An NFC relay attack is when criminals use two devices to trick a payment terminal into thinking a real card or phone is present, even though it’s somewhere else. One device (an infected one) reads the victim’s card data and instantly sends it to another device that makes the payment on their behalf.

RatOn Malware

“Instances where a trojan evolves from a basic NFC relay tool into a sophisticated RAT with Automated Transfer System (ATS) capabilities are virtually unheard of,” Threat Fabric said. “That’s why the discovery of the new trojan RatOn by ThreatFabric MTI analysts is particularly noteworthy. RatOn merges traditional overlay attacks with automatic money transfers and NFC relay functionality—making it a uniquely powerful threat.”

RatOn was first assembled in early July 2025, with the latest version popping up on August 29, meaning it is in active development. It primarily serves as an Android banking trojan, taking over devices and accounts. It also targets cryptocurrency wallets such as MetaMask, Trust Wallet, Blockchain.com, or Phantom, and can steal PINs and recovery phrases.

The malware also uses overlays to trick users and lock devices, and performs automated money transfer using the George Česko banking app. Since George Česko is a mobile banking app in Czechia, the researchers concluded that the attackers are targeting, first and foremost, individuals in Czechia and Slovakia.

The malware is being distributed via spoofed Google Play Store pages. They were set up to show an adult version of the TikTok app which hosted a malware dropper.

Once installed, the dropper asks for certain permissions from the victim, including one that allows it to download apps from third-party sources. If granted, it will deploy second-stage payload, and ask for additional permissions, including the dreaded Accessibility Services.

Via The Hacker News

Vicious malware found in Android apps with over 19 million installs - here's how to stay safe
Take a look at our guide to the best authenticator app
We've rounded up the best password managers

TOPICS

Sead is a seasoned freelance journalist based in Sarajevo, Bosnia and Herzegovina. He writes about IT (cloud, IoT, 5G, VPN) and cybersecurity (ransomware, data breaches, laws and regulations). In his career, spanning more than a decade, he’s written for numerous media outlets, including Al Jazeera Balkans. He’s also held several modules on content writing for Represent Communications.

You must confirm your public display name before commenting

Please logout and then login again, you will then be prompted to enter your display name.