Fake TikTok Apps Spreading RatOn Android Banking Trojan Across Central Europe
A new strain of Android malware dubbed RatOn has evolved from a simple NFC relay tool into a sophisticated remote access trojan (RAT) with Automated Transfer System (ATS) features. First detected on July 5, 2025, RatOn has since undergone rapid development, with new variants identified as recently as late August.
According to Dutch cybersecurity firm ThreatFabric, RatOn merges overlay attacks, automated money transfers, and NFC relay functionality, making it one of the most powerful mobile banking threats to date. “The account takeover and automated transfer features have shown that the threat actor knows the internals of the targeted applications quite well,” ThreatFabric said in its report.
The malware targets cryptocurrency wallets including MetaMask, Trust, Phantom, and Blockchain.com, while also abusing George Česko, a Czech banking app, to execute fraudulent transfers. Beyond theft, RatOn can mimic ransomware attacks by locking devices and displaying extortion-style overlay pages.
Threat actors are distributing RatOn through fake Google Play Store pages disguised as “TikTok 18+,” tricking Czech and Slovakian-speaking users into downloading malicious dropper apps.
Once installed, the malware requests broad device permissions, installs secondary payloads, and ultimately delivers NFSkate malware to perform NFC relay attacks using a method known as “Ghost Tap.”
The trojan can also display fake ransom messages claiming users’ phones are locked for criminal activity and demanding $200 in cryptocurrency. Security experts believe this ploy is designed to scare victims into quickly opening crypto apps, allowing the malware to capture PIN codes and steal seed phrases.
Commands processed by RatOn include sending fake push notifications, locking devices, launching WhatsApp or Facebook, recording screens, and injecting malicious code into financial apps. ThreatFabric added that the campaign initially focused on Czech users, with Slovakia likely to be targeted next, possibly through local money mule networks.
