Overview

• ThreatFabric reports RatOn evolved from an NFC‑relay tool into a remote‑access banking Trojan capable of overlay attacks and automated transfers.
• Infections observed so far are concentrated in the Czech Republic, which researchers suggest may be a testing ground before broader distribution.
• The malware targets banking apps and cryptocurrency wallets and can simulate or trigger a ransomware lock to coerce payment after funds are taken.
• Operators spread the Trojan via adult‑themed lures such as fake ‘TikTok18+’ pages and bogus Play‑store fronts that prompt sideloading and Accessibility/device‑admin grants.
• Zimperium zLabs separately flagged a new variant of the Hook banking Trojan that adds a ransomware element, underscoring a wider shift toward dual‑purpose mobile threats.