Overview

• ThreatFabric identified RatOn as an evolution from an NFC‑relay tool into a remote‑access banking trojan with account‑takeover capabilities.
• The malware combines overlay attacks, NFC relay, and captured PINs to log in and execute automated transfers, with cryptocurrency wallets also targeted.
• Operators push RatOn through adult‑themed lures and counterfeit app stores spoofing Google Play, often posing as TikTok variants to drive sideloading.
• Victims are prompted to allow installs from unknown sources and to grant Accessibility and device‑administrator rights, enabling overlays and persistence.
• Researchers report current activity concentrated in the Czech Republic and note related work showing a Hook variant with ransomware, signaling a broader shift toward theft paired with extortion.