NEW YORK—A newly identified banking trojan known as “RatOn” poses emerging risks for U.S. banks and credit unions, cybersecurity researchers warn.
The malware, first detected in attacks on a Czech bank, uses remote access, automated money transfers, and near-field communication relay techniques to compromise Android devices—tactics that could be adapted to target North American institutions.
"RatOn merges traditional overlay attacks with automatic money transfers and NFC relay functionality – making it a uniquely powerful threat," Threat Fabric stated in a release.
Researchers say RatOn includes account takeover capabilities aimed at cryptocurrency wallets such as MetaMask, Trust, Blockchain.com, and Phantom, along with tools for automating money transfers through George Česko, a Czech banking app. The malware can also mimic ransomware, using fake overlay pages and device locking to extort victims—a tactic previously seen in variants of the HOOK Android trojan. The first RatOn sample appeared on July 5, 2025, with additional versions detected as recently as Aug. 29, suggesting the malware is still under active development, The Hacker News said.
ThreatFabric reports that RatOn spreads through fake Google Play Store pages posing as an adult version of TikTok (“TikTok 18+”), which deliver malicious dropper apps. The campaign has mainly targeted Czech- and Slovak-speaking users, though the lure method remains unclear. Once installed, the dropper seeks permissions to bypass Android security controls, enabling the installation of additional apps. It then requests device administration, accessibility, and contact permissions before deploying a third-stage payload known as NFSkate (or NGate)—a modified version of the NFCGate research tool capable of performing near-field communication relay attacks.
"The account takeover and automated transfer features have shown that the threat actor knows the internals of the targeted applications quite well," ThreatFabric said, describing the malware as built from scratch and sharing no code similarities with other Android banking malware.
Researchers warn that RatOn is also capable of displaying fake ransom screens. The tactic appears intended to create panic and pressure users into opening targeted cryptocurrency apps, during which the malware can capture device PIN codes and secretly take over accounts, The Hacker News explained.
"Upon corresponding command, RatOn can launch the targeted cryptocurrency wallet app, unlock it using stolen PIN code, click on interface elements which are related to security settings of the app, and on the final step, reveal secret phrases," ThreatFabric said.
The malware’s keylogger records sensitive data and transmits it to a server controlled by the attackers, who can then use stolen seed phrases to access victims’ accounts and steal cryptocurrency, The Hacker News noted.