Security researchers say a new Android banking trojan has emerged with the capabilities to establish remote access, initiate automatic bank transfers and steal digital assets from crypto wallets.
Cybersecurity firm ThreatFabric says it has witnessed the first cases of RatOn, which it describes as a “fully functional banking trojan” that takes over devices and accounts.
-->Says ThreatFabric MTI analysts,
“Instances where a trojan evolves from a basic NFC (near field communication) relay tool into a sophisticated RAT with Automated Transfer System (ATS) capabilities are virtually unheard of. That’s why the discovery of the new trojan RatOn by ThreatFabric MTI analysts is particularly noteworthy. RatOn merges traditional overlay attacks with automatic money transfers and NFC relay functionality, making it a uniquely powerful threat.”
On top of taking full control of infected devices, analysts say RatOn can autoclick through mobile banking applications and enter stolen PINs to drain funds.
The malware can also unlock crypto wallets such as MetaMask, Trust Wallet, Phantom and Blockchain.com to steal recovery phrases.
For now, ThreatFabric says the thieves behind RatOn appear to be targeting users in the Czech Republic, with Slovakia in their sights. While the group appears to be operating domestically, the firm warns RatOn has the capabilities to attack on a global scale.
ThreatFabric says the entity behind RatOn infects users through adult-themed domains that deliver dropper apps disguised as third-party installers.
The malware subsequently initiates a multi-stage device takeover process, ultimately giving attackers a live view of the device’s screen.
Follow us on X, Facebook and Telegram
