- Key insight: RatOn combines automated transfers and NFC relay to exploit victims with infected Android devices.
- What's at stake: Exploits using this malware and cross-border mule networks threaten banks, fintechs and payment infrastructure.
- Forward look: Watch out for the malware to start targeting more banking apps beyond the one Czech bank it targets today.
Overview bullets generated by AI with editorial review
A new banking trojan, dubbed "RatOn," combines advanced remote access, automated money transfers and near-field communication relay attacks to target a specific bank in the Czech Republic via Android devices, but the malware presents potential risks to customers of U.S. banks and credit unions.
Security researchers at ThreatFabric, a cybersecurity research firm, discovered the malware. The researchers said RatOn has evolved from a tool that allows the threat actor to purchase from stores using compromised payment methods into a more comprehensive threat.
RatOn is a Remote Access Trojan (RAT), a type of malicious software that gives attackers complete control over an infected device, often without the device owner being able to detect the infection.
Other times, a RAT can turn into ransomware that locks the device and instructs the owner to send money or take some other action to unlock it. RatOn, according to ThreatFabric, can do either.
RATs provide threat actors with remote access to a device. In this case, RatOn provides the threat actor with visual access to the victim device's screen (basically, streaming the whole screen to the threat actor) or textual descriptions of what is on the screen.
Critically, RatOn also enables the threat actor to transfer money from the victim's account. It does this by automating fraudulent money transfers, mimicking a user's actions within a banking application.
RatOn launches the target banking application and initiates payment by automatically clicking on elements one by one, either by searching for them by name or using hardcoded screen coordinates. The malware then automatically types in a stolen PIN code to confirm transactions.
This automated process also allows attackers to check and adjust transaction limits before executing transfers.
Targeting cryptocurrency wallets
RatOn can be used for account takeover attacks against popular cryptocurrency wallets. It supports MetaMask, Trust, Blockchain.com and Phantom.
Upon receiving a command from the attacker, RatOn can launch a targeted crypto wallet app, unlock it using a stolen PIN code, navigate to the app's security settings and reveal credentials stored there.
The malware then records this sensitive data and sends it back to the attacker's server. This gives the attacker control over the victim's crypto wallet.
Sophisticated cash-out: NFC relay attacks
RatOn can also execute NFC relay attacks. ThreatFabric said RatOn has a connection to NFSkate malware, which enables this functionality.
In an NFC relay attack, the threat actor remotely transmits near-field communication (NFC) payment data from a compromised device to a so-called mule who uses it for in-person transactions at a point-of-sale terminal.
This tactic, known as a ghost tap, allows the attacker to coordinate buying goods (often gift cards) at physical retailers without visiting them personally.
NFC relay attacks also enable attackers to scale up their fraud operations by enabling multiple mules at different locations to buy goods in a short period of time, before the cardholder or bank can detect suspicious activity.
How RatOn infects devices
Attackers distribute RatOn through dropper applications, which are malicious applications that simply install more potent malware, often while misleading the user about what is being installed.
In the case of RatOn, the infection process often starts with victims visiting adult-themed websites. Threat Fabric said these sites incorporated "TikTok18+" in their name.
The dropper application requests permission from the user to install applications from third-party sources. If the user grants these permissions, the app then installs the second-stage payload.
This second stage then immediately asks the user for accessibility service access and device admin privileges.
Accessibility service access on Android devices is a legitimate feature designed to help users with disabilities interact with their devices. However, malware like RatOn abuses this to automate actions, read screen content and control the device without user intervention.
Device admin privileges are more powerful permissions that grant an application elevated control over device settings, allowing malware to perform actions like factory resets, password changes or lock screen disabling.
After obtaining these permissions, RatOn automatically gets additional permissions to read from and write to the user's contact list and manage system settings, which the device uses to operate in the background and send information about what is on the device's screen (either screenshots or textual descriptions) to the threat actor's server.
Wider context and implications
RatOn's tactics align with trends observed in other advanced Android banking trojans like GodFather and Hook.
The GodFather malware,
Android's open-source nature, device fragmentation (in which manufacturers often install their own updates on devices) and the presence of third-party app stores with differing review processes all contribute to its susceptibility to such threats.
