339/68 Friday, September 12, 2025
Security researchers from the Netherlands have uncovered a new Android malware strain called RatOn, which evolved from NFC relay tools into a sophisticated Remote Access Trojan (RAT). RatOn is equipped with Automated Transfer System (ATS) capabilities to manipulate financial transactions, combining features such as overlay attacks, automated transfers, and NFC relay attacks in a single tool.
RatOn primarily targets cryptocurrency wallets including MetaMask, Trust, Blockchain.com, and Phantom, as well as banking apps such as George Česko in the Czech Republic. It can also mimic ransomware behavior by locking the screen and displaying ransom notes to coerce victims into opening crypto apps, carrying out transactions, and revealing sensitive information such as PIN codes and seed phrases, enabling attackers to steal digital assets.
The malware is distributed through fake apps impersonating the Play Store, such as “TikTok 18+.” Once installed, these apps act as droppers, requesting elevated permissions such as Accessibility Services and Device Admin before downloading multiple payload layers, including NFSkate, which performs NFC relay attacks using the Ghost Tap technique. Captured information is logged via a keylogger and sent to attacker-controlled servers. Current campaigns appear to focus on victims in the Czech Republic and Slovakia, with ongoing development of the malware observed.
Researchers warn that Android users should avoid installing apps from untrusted sources and carefully review requested permissions before granting access to minimize the risk of infection.
Source https://thehackernews.com/2025/09/raton-android-malware-detected-with-nfc.html
