RatOn¶
RatOn is an Android banking trojan that combines NFC relay attacks with ATS (Automated Transfer System) capabilities, making it the first known family to merge these two fraud techniques into a single platform. Discovered by ThreatFabric in September 2025, the malware evolved from a basic NFC relay tool into a sophisticated RAT with crypto wallet seed phrase extraction. It initially targets Czech Republic banking customers and has expanded into Slovakia, building on the NFC relay research first demonstrated by ESET's analysis of NGate.
Overview¶
| Attribute | Details |
|---|---|
| First Seen | July 5, 2025 |
| Status | Active |
| Type | Banking trojan, NFC relay, ATS, RAT |
| Attribution | Unknown |
| Distribution | Fake TikTok 18+ Play Store pages |
Origin and Lineage¶
RatOn's development trajectory shows a clear evolution from a simple NFC relay tool to a multi-capability banking trojan. ThreatFabric's analysis documents this progression:
The NFC relay technique at RatOn's core builds on research first published by ESET regarding NGate, a family that demonstrated the viability of relaying NFC payment card data from a victim's device to a mule operating at a physical POS terminal or ATM. RatOn took this concept and expanded it significantly by adding remote access, ATS for automated money transfers, and cryptocurrency wallet targeting.
The evolution from a focused NFC relay tool to a full-featured RAT with ATS suggests active development by operators who recognized the limitations of a single-vector approach and systematically added complementary fraud capabilities.
Distribution¶
| Vector | Details |
|---|---|
| Fake TikTok pages | Fraudulent "TikTok 18+" pages mimicking Google Play Store listings |
| Social engineering | Lures designed to appeal to users seeking age-restricted content |
ThreatFabric documented that RatOn is distributed through fake Play Store pages advertising a "TikTok 18+" application. The adult content lure is designed to override user caution about sideloading apps from outside the official store.
Capabilities¶
Core Features¶
| Capability | Implementation |
|---|---|
| NFC relay | Clones payment card data from victim's device and relays it to mules at physical POS terminals |
| ATS | Automated money transfers targeting Czech banking app George Cesko |
| Crypto wallet theft | Seed phrase extraction via Accessibility Service from MetaMask, Trust Wallet, Blockchain.com, Phantom |
| Remote access | Full device control for manual fraud operations |
| Accessibility abuse | Used for both crypto seed extraction and ATS automation |
NFC Relay¶
The NFC relay capability is RatOn's foundational feature. The attack chain works as follows:
- The victim is socially engineered into placing their payment card against their NFC-enabled phone
- RatOn reads the NFC data from the payment card
- The captured card data is relayed in real-time to a mule's device
- The mule uses the relayed data at a physical POS terminal or ATM to make transactions or withdraw cash
This attack turns the victim's device into a bridge between their physical payment card and a remote attacker. The technique was first documented in the wild with the NGate family, but RatOn is the first to combine it with additional fraud mechanisms.
Automated Transfer System (ATS)¶
ThreatFabric confirmed that RatOn is the first family to combine NFC relay with ATS. The ATS component specifically targets George Cesko, the mobile banking application of Ceska sporitelna (Czech Savings Bank). ATS automates the process of initiating and confirming money transfers within the banking app without the victim's awareness, using the Accessibility Service to navigate the app, fill in transfer details, and approve transactions.
Cryptocurrency Wallet Targeting¶
RatOn extracts seed phrases from cryptocurrency wallet applications through Accessibility Service monitoring:
| Wallet | Targeted Data |
|---|---|
| MetaMask | Seed phrase / recovery phrase |
| Trust Wallet | Seed phrase / recovery phrase |
| Blockchain.com | Seed phrase / recovery phrase |
| Phantom | Seed phrase / recovery phrase |
The Accessibility Service monitors when a user navigates to seed phrase display screens within these wallet apps and captures the displayed text. This gives operators access to the victim's cryptocurrency holdings across any blockchain supported by the compromised wallet.
Technical Details¶
Multi-Vector Fraud Architecture¶
RatOn's significance lies in its combination of three distinct fraud techniques in a single package:
- NFC relay for physical card fraud at POS terminals and ATMs
- ATS for automated bank transfers through the victim's own banking app
- Crypto theft through seed phrase extraction for cryptocurrency wallet drainage
This multi-vector approach gives operators flexibility to monetize compromised devices through whichever channel offers the highest return, whether that is cloning payment cards, automating bank transfers, or stealing cryptocurrency.
C2 Communication¶
Specific C2 protocol details were not fully disclosed in ThreatFabric's initial publication. The C2 infrastructure supports real-time NFC data relay, which requires low-latency communication between the victim's device and the mule's device.
Target Regions¶
| Region | Status | Details |
|---|---|---|
| Czech Republic | Primary target | Initial campaign, George Cesko banking app targeted |
| Slovakia | Expanding | Secondary target region |
ThreatFabric's report documents the Czech Republic as the initial target with expansion into Slovakia. The focus on George Cesko (the Czech Savings Bank app) for ATS confirms the geographic specificity of the current campaign.
Notable Campaigns¶
July 2025: First RatOn samples observed in the wild, initially functioning as a basic NFC relay tool. Distribution begins through fake TikTok 18+ Play Store pages targeting Czech users.
September 2025: ThreatFabric publishes their analysis, documenting RatOn's evolution from a simple NFC relay tool into a comprehensive RAT combining NFC relay, ATS targeting George Cesko, and crypto wallet seed phrase extraction. The family is confirmed as the first to combine NFC relay with ATS capabilities.
Related Families¶
RatOn builds on the NFC relay concept pioneered by NGate, which ESET documented as the first Android malware performing NFC relay attacks in the wild. While NGate demonstrated the viability of the technique, RatOn represents its maturation by combining it with established banking trojan capabilities.
Other families with ATS capabilities include Anatsa, which pioneered ATS fraud through Google Play distribution, and SharkBot, which combines ATS with DGA-based C2. The crypto wallet targeting overlaps with families like SparkCat and SpyAgent, though RatOn uses Accessibility Service monitoring rather than OCR for seed phrase capture.
The combination of physical-world fraud (NFC relay at POS terminals) with digital fraud (ATS bank transfers and crypto theft) represents a convergence trend in mobile malware, where operators seek to maximize monetization by exploiting every available channel on a compromised device.