Overview

• ThreatFabric identified RatOn as a bespoke Android banking trojan with no code overlap with known families during research into the NFC-abusing NFSkate.
• The malware operates across multiple apps and uses convincing overlays and fake lock screens to harvest credentials and extort victims.
• Researchers report targeting of Czech banking apps, notably George Česko, as well as major crypto wallets including MetaMask, Trust Wallet, Blockchain.com, and Phantom.
• Infections are linked to sideloaded apps from adult-themed domains and fake app stores such as those posing as “TikTok 18+,” bypassing Google Play protections.
• Security guidance urges avoiding APK sideloading, sticking to official stores, enabling protections like Play Protect and two-factor authentication, and separating devices for crypto holdings.