Skip to main content
Live Webinar with SANS (June 25)— Agentic CTI Automation for Fun & ProfitRegister Free
Mallory
Back to malware
Malware

RatOn

RatOn is an Android banking trojan and remote access trojan (RAT) that combines remote device control with NFC relay fraud. Reporting cited in the content describes it as a new Android malware first detected in the Czech Republic that evolved from a basic NFC relay tool into a more sophisticated trojan with Automated Transfer System (ATS) capabilities. RatOn has been observed using dropper apps impersonating adult-themed TikTok variants to deploy NGate, and some reporting states it installs a third module known as NFSkate. The malware is described as targeting banking apps and cryptocurrency wallets, using the Android Accessibility API to automate fraudulent transactions and empty accounts, including automated bank transfers against the Czech banking app George Česko. Additional capabilities directly mentioned in the content include remote smartphone control, screen capture, clipboard manipulation, SMS sending, theft of information from crypto wallets and banking apps, and device takeover. One cited report also says RatOn evolved to combine NFC relay, ransomware overlays, and ATS for financial and crypto theft. The content places RatOn in the broader Android NFC fraud ecosystem alongside NGate/NFSkate and notes that it represents a rare fusion of RAT functionality and NFC relay attacks. High-confidence targeting mentioned in the content includes financial assets, banking customers, and cryptocurrency wallet users, with activity specifically referenced in the Czech Republic.

Share:
For your environment

Hunt this family in your stack

Mallory pivots from this family to the IOCs, detections, and named campaigns that touch your stack, and pages you when something new lands.

Start free trial
ACTIVITY FEED

Recent activity

7 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.

7 SOURCESView more in app
the hacker newsNews
Apr 21, 2026
NGate Campaign Targets Brazil, Trojanizes HandyPay to Steal NFC Data and PINs

Threat/campaign codename associated with dropper apps that impersonate adult-themed TikTok variants to deploy NGate for NFC relay attacks.

Read more
cloudatg insightsNews
Feb 13, 2026
AI Development & Software Engineering | CloudATG

Android malware evolving into a RAT with NFC relay and Automated Transfer System (ATS) capabilities for banking fraud.

Read more
kaspersky blogNews
Jan 13, 2026
Direct and reverse NFC relay attacks being used to steal money | Kaspersky official blog

Android trojan combining remote device control with NFC relay; capabilities described include screen capture, clipboard manipulation, SMS sending, and theft of information from crypto wallets and banking apps to enable payment/ATM fraud.

Read more
eset welivesecurity blogNews
Dec 16, 2025
ESET Threat Report H2 2025

Android malware combining remote access trojan (RAT) capabilities with NFC relay attacks.

Read more
+3 more in the timeline
What this page doesn’t show

The version that knows your environment.

This page is what’s public. Mallory adds the parts that aren’t: which of your assets match these IOCs, which detections are missing, which campaigns to expect next, and what to do in the next 30 minutes.
Start free trial
IOC matching

Match every observed IP, domain, and hash against your live telemetry.

Threat actor attribution

Named campaigns wielding this family, with evidence pinned to each claim.

Exploited vulnerabilities

CVEs this family uses for access and lateral movement.

Detection signatures

YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.

MITRE ATT&CK mapping

Every documented technique, ranked by evidence weight.

Researcher chatter

Reddit, Mastodon, and CTI community discussion around this family.