RatOn Hijacks Bank Account to Launch Automated Money Transfers

Dubbed RatOn, that combines traditional overlay attacks with NFC relay tactics to hijack bank accounts and initiate automated money transfers.

Developed from scratch by a threat actor group observed since July 2025, RatOn represents a significant evolution in mobile fraud capabilities.

Security researchers have uncovered a new Android banking trojan Unlike standalone NFC relay tools or basic Remote Access Trojans (RATs), RatOn integrates an Automated Transfer System (ATS), enabling it to autonomously move funds through a targeted bank’s application interface.

The initial access vector for RatOn involves malicious “TikTok18+” themed domains that host a dropper APK.

Victims who grant permission to install from unknown sources are served a WebView-based installer, which triggers the download and side-loading of the second-stage payload.

Once installed, this payload immediately prompts for Accessibility service and Device Administrator privileges via additional WebViews, abusing these permissions to automate UI interactions without user awareness.

With Accessibility access, RatOn can:

• Monitor the foreground app and relay a text-based pseudo-screen or full screen casts to its command server.
• Automatically accept critical runtime permissions for contacts and system settings, which it uses to, for example, change ringtones or intercept PIN entries.
• Launch and control a third-stage component: the NFSkate NFC relay malware, enabling physical proximity attacks against contactless payment cards.

RatOn’s command set, delivered as JSON objects, includes live screen streaming, push-notification spoofing, device locking, and clipboard manipulation.

The web page can call the installApk function if the victim presses corresponding button.

Critically, the transfer command instructs the trojan to open the Czech bank’s app (“George Česko”) and navigate its UI elements—such as “Nová platba” (New payment) and “Odeslat” (Send)—by name or hardcoded coordinates, entering stolen PIN codes to finalize transactions.

Global Cryptocurrency Theft

RatOn’s ATS module demonstrates a deep understanding of the target bank’s UI workflow. Before each transfer, it can query and adjust transaction limits via check_limit and limit commands.

Once parameters are set, the trojan proceeds through the payment steps, culminating in an auto-typed PIN confirmation.

Money is then routed to mule accounts, suggesting collaboration with local operatives or mule networks in the Czech Republic and potentially Slovakia.

Beyond fiat transfers, RatOn also targets four major cryptocurrency wallets, extracting secret recovery phrases through UI automation. The following table summarizes its cryptocurrency wallet takeover capabilities:

RatOn launches the wallet app, inputs the stolen PIN, navigates to security settings, and reveals recovery phrases, which are then exfiltrated via its keylogger component.

This global functionality makes RatOn a potent threat to cryptocurrency holders worldwide.

Mitigations

RatOn’s fusion of NFC relay functionality, RAT features, overlay extortion tactics, and automated transfers marks a new chapter in mobile malware sophistication.

While its automated money-laundering focus reduces the need for traditional ransomware, its ransom note overlays remain available as a fallback extortion method. Security teams should prioritize the following mitigations:

• Enforce strict installation policies blocking unknown sources.
• Monitor Accessibility and Device Administrator grant requests.
• Employ behavioral analysis to detect anomalous UI automation in banking and wallet apps.
• Educate users on the risks of adult-themed phishing domains.

As threat actors continue refining multi-stage mobile trojans, collaboration between financial institutions, mobile OS vendors, and security researchers will be vital to disrupt emerging attack chains like RatOn.

Find this Story Interesting! Follow us on LinkedIn and X to Get More Instant Updates.