RatOn Android malware with NFC relay and ATS fraud capabilities
Malware Activity
Summary
Hide ▲
Show ▼
RatOn has evolved into a remote access trojan on Android that combines NFC relay, ATS money transfers, overlay attacks, and credential theft for banking and crypto fraud. The malware can target wallet apps such as MetaMask, Trust, Blockchain.com, and Phantom, and it can also abuse George Česko for automated transfers. Its delivery chain and permission abuse make it a broad account-takeover threat rather than a simple banking trojan. The activity was first detected on July 5, 2025 and continued to generate new artifacts through August 29, 2025.
Related Happenings
BeatBanker Android phishing campaign targeting Brazilian users
Campaign
First: 12.03.2026 09:56
Last: 12.03.2026 09:56
Sources 1
About this happening:
A **BeatBanker** Android phishing campaign is targeting **Brazilian users**, creating a risk of device compromise and payment theft. The lure uses **Google Play Store** lookalike...
BeatBanker Android phishing campaign targeting Brazilian users
CampaignAbout this happening: A **BeatBanker** Android phishing campaign is targeting **Brazilian users**, creating a risk of device compromise and payment theft. The lure uses **Google Play Store** lookalike...
BeatBanker Android malware activity
Malware Activity
First: 10.03.2026 23:27
Last: 10.03.2026 23:27
Sources 1
About this happening:
The **BeatBanker** Android malware is actively **hijacking devices** by posing as a **Starlink app**, creating risk of credential theft, illicit mining, and remote device control....
BeatBanker Android malware activity
Malware ActivityAbout this happening: The **BeatBanker** Android malware is actively **hijacking devices** by posing as a **Starlink app**, creating risk of credential theft, illicit mining, and remote device control....
Massiv Android trojan device-takeover and credential-theft activity
Malware Activity
First: 19.02.2026 12:24
Last: 19.02.2026 12:24
Sources 1
About this happening:
The **Massiv** Android trojan has been disclosed as a **device-takeover** threat that can steal banking credentials and enable fraudulent transactions. It uses **screen streaming*...
Massiv Android trojan device-takeover and credential-theft activity
Malware ActivityAbout this happening: The **Massiv** Android trojan has been disclosed as a **device-takeover** threat that can steal banking credentials and enable fraudulent transactions. It uses **screen streaming*...
Wonderland Android SMS stealer activity targeting Uzbekistan
Malware Activity
First: 22.12.2025 08:11
Last: 22.12.2025 08:11
Sources 1
About this happening:
The **Wonderland** Android SMS stealer is being spread through **malicious droppers** in attacks targeting **users in Uzbekistan**, enabling **SMS and OTP theft** and bank-card fr...
Wonderland Android SMS stealer activity targeting Uzbekistan
Malware ActivityAbout this happening: The **Wonderland** Android SMS stealer is being spread through **malicious droppers** in attacks targeting **users in Uzbekistan**, enabling **SMS and OTP theft** and bank-card fr...
Albiriox Android malware activity
Malware Activity
First: 01.12.2025 18:30
Last: 01.12.2025 18:30
Sources 1
About this happening:
**Albiriox** is an **Android malware** family now being sold as **Malware-as-a-Service**, and it matters because it enables **remote device takeover** and **real-time fraud** agai...
Albiriox Android malware activity
Malware ActivityAbout this happening: **Albiriox** is an **Android malware** family now being sold as **Malware-as-a-Service**, and it matters because it enables **remote device takeover** and **real-time fraud** agai...
Timeline
-
09.09.2025 14:53 1 articles · 8mo ago
RatOn first detected in the wild
Detection Ioc UpdateRatOn's first sample distributing the Android malware is detected in the wild on July 5, 2025, marking the earliest observed appearance of the campaign.
Show sources
- RatOn Android Malware Detected With NFC Relay and ATS Banking Fraud Capabilities — thehackernews.com — 09.09.2025 14:53
-
09.09.2025 14:53 1 articles · 8mo ago
RatOn artifacts indicate active development
Campaign Scope UpdateMore RatOn artifacts are discovered on August 29, 2025, indicating the operators are still actively developing the Android malware.
Show sources
- RatOn Android Malware Detected With NFC Relay and ATS Banking Fraud Capabilities — thehackernews.com — 09.09.2025 14:53
-
09.09.2025 14:53 2 articles · 8mo ago
ThreatFabric details RatOn Android banking trojan capabilities
Initial DisclosureRatOn is described as an Android banking trojan that merges traditional overlay attacks with NFC relay functionality and Automated Transfer System (ATS) transfers, targets MetaMask, Trust, Blockchain.com, Phantom, and George Česko, and can steal PIN codes and secret phrases after users install malicious dropper apps from fake TikTok 18+ Play Store pages.
Show sources
- RatOn Android Malware Detected With NFC Relay and ATS Banking Fraud Capabilities — thehackernews.com — 09.09.2025 14:53
- RatOn Android Malware Detected With NFC Relay and ATS Banking Fraud Capabilities — thehackernews.com — 09.09.2025 14:53