CyberHappenings logo
Home Browse About

Track cybersecurity events as they unfold. Sourced timelines. Filter, sort, and browse. Fast, privacy‑respecting. No invasive ads, no tracking.

RatOn Android Malware with NFC Relay and ATS Banking Fraud Capabilities Detected

First reported
Last updated
1 unique sources, 1 articles

Summary

Hide ▲

A new Android malware named RatOn has been detected. It combines NFC relay attacks, automated transfer system (ATS) capabilities, and account takeover functions targeting cryptocurrency wallets and banking apps. RatOn was first observed in July 2025 and has been actively developed since. The malware targets Czech and Slovakian-speaking users and leverages fake Play Store listings to distribute malicious dropper apps. RatOn requests extensive permissions to bypass security measures and deploy additional malware, including NFSkate, which performs NFC relay attacks. The malware can also execute ransomware-like attacks, locking devices and demanding cryptocurrency payments. RatOn's capabilities include account takeover of cryptocurrency wallets and automated money transfers using the George Česko banking app. The malware's operators demonstrate a deep understanding of the targeted applications, suggesting a well-resourced and sophisticated threat actor.

Timeline

  1. 09.09.2025 14:53 1 articles · 23d ago

    RatOn Android Malware Detected with NFC Relay and ATS Capabilities

    RatOn, a new Android malware, was detected on July 5, 2025. It combines NFC relay attacks, automated transfer system (ATS) capabilities, and account takeover functions targeting cryptocurrency wallets and banking apps. The malware targets Czech and Slovakian-speaking users and leverages fake Play Store listings to distribute malicious dropper apps. RatOn requests extensive permissions to bypass security measures and deploy additional malware, including NFSkate, which performs NFC relay attacks. The malware can also execute ransomware-like attacks, locking devices and demanding cryptocurrency payments. RatOn's capabilities include account takeover of cryptocurrency wallets and automated money transfers using the George Česko banking app.

    Show sources
    Open in new tab

Information Snippets

Similar Happenings

Klopatra Android Trojan Conducts Nighttime Bank Transfers

A new Android Trojan named Klopatra has been identified, capable of performing unauthorized bank transfers while the device is inactive. The malware targets users in Italy and Spain, with over 3,000 devices infected. Klopatra disguises itself as the Mobdro streaming app and IPTV applications, leveraging their popularity to bypass security measures. It employs advanced techniques to evade detection and analysis, including anti-sandboxing methods, a commercial packer, and Hidden Virtual Network Computing (VNC) for remote control. The Trojan operates during nighttime hours, draining victims' bank accounts without alerting them. Klopatra uses Accessibility Services to gain extensive control over the device, allowing attackers to simulate user interactions remotely. It captures screenshots, records screen activity, and overlays fake login screens to steal credentials. The malware checks for device inactivity and charging status before executing its operations, ensuring the victim remains unaware until the next day. The malware is operated by a Turkish-speaking criminal group as a private botnet, with 40 distinct builds discovered since March 2025. The malware integrates Virbox, a commercial-grade code protector, to obstruct reverse-engineering and analysis. It uses native libraries to reduce its Java/Kotlin footprint and employs NP Manager string encryption in recent builds. Klopatra features several anti-debugging mechanisms, runtime integrity checks, and emulator detection capabilities. The malware supports all required remote actions for performing manual bank transactions, including simulating taps, swiping, and long-pressing. Klopatra uses Cloudflare to hide its digital tracks, but a misconfiguration exposed origin IP addresses, linking the C2 servers to the same provider. The malware has been linked to two campaigns, each counting 3,000 unique infections.

Open in new tab