A new Android malware called Raton has evolved from a basic tool that allows for sleek remote access trojan-like field communication (NFC) relay attacks with automatic forwarding system (ATS) capabilities to enforce device fraud.
“Raton combines traditional overlay attacks with automatic remittances and NFC relay capabilities, making them a unique and powerful threat,” the Dutch mobile security company said in a report published today.
Bank Trojans are equipped with account takeover features targeted at cryptocurrency wallet applications such as MetaMask, Trust, Blockchain, and Phantom. You can also run automatic remittances that abuse George Jesko, a banking application used in the Czech Republic.
Additionally, custom overlay pages and device locks can be used to carry out ransom-like attacks. Note that it has also been observed that a variant of Hook Android Trojan incorporates a Ransomware-style overlay screen to display a fear tor message.
The first sample of Raton distribution was detected in the wild on July 5, 2025, and more artifacts were discovered on August 29, 2025, indicating active development work on the part of the operator.
Raton utilized the fake playstore list page for the adult version of Tiktok (Tiktok 18+) to host the malicious dropper app that provides Trojan horses. It is not clear how users are currently invited to these sites, but the activity has picked out Czech and Slovak-speaking users.
Once the Dropper app is installed, it asks users to be authorized to install the application from third-party sources to bypass the critical security measures imposed by Google to prevent abuse of Android’s accessibility services.
The second stage payload then proceeds to allow device management and accessibility services requests, as well as read/write contacts, manage system settings and achieve malicious functionality.
This includes granting additional permissions as needed and downloading the third stage malware. This is nothing more than NFSKATE malware that can perform NFC relay attacks using a technique called Ghost Tap. The malware family was first documented in November 2024.
“The account acquisition and automatic forwarding capabilities show that threat actors know very well the inside of their target applications,” ThreatFabric said, explaining that they built malware from scratch and did not share code similarity with other Android banking malware.
That’s not all. Raton is able to provide overlay screens similar to ransom notes, claiming that the user’s phone is locked for display and distribution of child pornography, and that they will have to pay $200 in cryptocurrency to regain access in two hours.
The ransom note is suspected to be designed to induce a false sense of urgency, open a cryptocurrency app to victims, make a quick transaction, and allow attackers to capture device PIN codes in the process.
“In the corresponding command, Raton launches a targeted cryptocurrency wallet app, unlocks it using the stolen PIN code, clicks on the interface elements related to the app’s security settings, and reveals the secret phrase in the final step,” Threatfabric detailed details of the account takeover feature.
The sensitive data is then recorded by the keylogger component and excluded from external servers under the control of threat actors, allowing seed phrases to gain unauthorized access to the victim’s account and steal cryptocurrency assets.
Some notable commands processed by Raton are listed below –
send_push, send fake push notification screen_lock, change the device lock screen timeout to the specified value whatsapp, launch whatsapp app_inject, change the list of targeted financial applications, send a list of installed apps with device fingerprint send_sms, send an SMS message using the accessibility service. Lock the device using Device Management Access ADD_CONTACT, create a new contact using the specified name and phone number record, launch the Screen Cast session display, lock lock to create a new contact to turn on/off screen casting
“Threat actor groups initially targeted the Czech Republic, but Slovakia is likely to be the next focus,” Threatfabric said. “The reason behind the concentration on single banking applications remains unknown. However, the fact that automated transfers require local bank account numbers suggests that threat actors may be working with local money mules.”
Source link
