The PolySwarm Blog

Analyze suspicious files and URLs, at scale, millions of times per day. Get real-time threat intel from a crowdsourced network of security experts and antivirus companies competing to protect you.

RatOn Android Malware

Sep 19, 2025 2:18:19 PM / by The Hivemind

RATON2025Verticals Targeted: Financial
Regions Targeted: Czech Republic, Slovakia
Related Families: NFSkate

Executive Summary

RatOn is a sophisticated Android banking trojan that integrates NFC relay capabilities with remote access and automated transfer functionalities, marking a notable evolution in mobile fraud tactics.

Key Takeaways

  • RatOn employs a multi-stage dropper mechanism to bypass Android restrictions, ultimately granting Accessibility services and Device Admin privileges for persistent control.  
  • The trojan supports overlay attacks mimicking ransom notes, automated transfers targeting a specific Czech banking app, and account takeovers of major cryptocurrency wallets like MetaMask and Trust.  
  • Integrated with the existing NFSkate NFC relay tool, RatOn enables operators to perform contactless payment heists alongside remote device manipulation.  
  • Initial samples emerged in July 2025, with campaigns using adult-themed domains to target Czech and Slovakian users.

What is RatOn?

Mobile banking trojans continue to adapt, and the emergence of RatOn exemplifies this trend by fusing NFC exploitation with comprehensive remote access features. Discovered through monitoring of the NFSkate threat actor group, RatOn represents a custom-built malware family, showing no code overlaps with known variants. Analysts at ThreatFabric first encountered it in samples compiled between July 5 and August 29, 2025, distributed via droppers hosted on adult themed domains targeting Czech and Slovakian users.

The infection chain begins with a dropper disguised as third-party software, prompting users to enable unknown app installations, a prerequisite for abusing Accessibility services. Once granted, the dropper invokes a WebView to load a hardcoded URL, exposing an installApk function callable via JavaScript from a button on the page. This triggers the installation of a second-stage APK from the dropper's assets, which then requests Accessibility access and Device Admin elevation through another WebView-based interface. Additional permissions for contacts and system settings follow, auto-accepted via Accessibility abuse, enabling ringtone modifications and background monitoring.

The second stage serves as a bridge, downloading or dropping a third-stage payload: the NFSkate module for NFC relay attacks against banking cards. From here, RatOn activates its core capabilities. Operators issue JSON-formatted commands to a control server, including screen state transmission for live monitoring, fake push notifications, and simulated UI interactions like Home or Back button presses. Overlay attacks deploy WebViews with URL-hosted or inline HTML templates, often as multilingual ransom notes in Czech and English, potentially forcing cryptocurrency app unlocks to capture PINs.

A standout feature is the automated transfer system (ATS), tailored to the George Česko banking app. Upon receiving a "transfer" command with recipient details, amount, and account number, RatOn launches the app and navigates via Accessibility-driven clicks on elements like "Nová platba" (New payment) or hardcoded coordinates. It auto-enters intercepted PINs for confirmation, supporting domestic transfers that imply local money mule networks. Limit checks and adjustments precede transactions, demonstrating intimate knowledge of the app's UI.

The malware targets multiple cryptocurrency wallets including MetaMask, Trust, Blockchain.com, and Phantom, supporting English, Russian, Czech, and Slovakian interfaces. The malware can unlock apps with stolen credentials, navigate to security settings, and exfiltrate recovery phrases via an integrated keylogger. NFC integration via NFSkate allows relay attacks, while broader commands enable device locking, brightness tweaks, SMS transmission, and even MP3 downloads for custom ringtones.

IOCs

PolySwarm has multiple samples of RatOn.

 

bf82609c55304c468996244d3ecc16348d9bea0891482ca724ffefcfaded8b66

bba15ecc8404698530761a122d3f03310b5e775f2e1552b645135fefd27e625c

13f4b05abe78f7a5714f32ecddc9b5b463803c62cd8355f493b42af8cb4fa9db

15734c54d25341317a2f58bbc3c9ed3f8efa73af50fb5feb1ef46b6c3e02cab9

3578222693be106eac90343c12f06454b6de6e19a50d31ae5105218c36514bbd

 

You can use the following CLI command to search for all RatOn samples in our portal:

$ polyswarm link list -f RatOn

 

Don’t have a PolySwarm account? Go here to sign up for a free Community plan or subscribe.

Contact us at hivemind@polyswarm.io | Check out our blog | Subscribe to our reports.

 

Topics: Threat Bulletin, overlay attacks, Accessibility Services abuse, RatOn, Android banking trojan, automated transfer system, cryptocurrency wallet takeover, mobile malware, NFSkate, NFC relay attack

The Hivemind

Written by The Hivemind

Subscribe to Email Updates

Lists by Topic

see all

Posts by Topic

See all

Recent Posts

Join the Marketplace

For Enterprises and Businesses

Learn More

For Security Experts and AV Companies

Learn More