- Raton is a rare Android Trojan that combines NFC relay, overlay attacks and automated money transfers
- It is targeted at bank apps and crypto -drawbooks, steal pins and recovery phrases
- Spread via fake tiktok -apps, it is mainly aimed at users in the Czech Republic and Slovakia
Security researchers have revealed a rare load of Android malware with options that were “almost unheard of” – so far.
Earlier this week, Threat fabric published an in-depth report on Raton, a remote access Trojan (Rotte) with NFC Relay capabilities.
An NFC relay attack is when criminals use two units to trick a payment terminal into thinking that a real card or phone is present, even if it is somewhere else. A device (an infected) reads the victim’s card data and instantly sends them to another device that makes payment on their behalf.
Raton Malware
“Occursments where a Trojan develops from a basic NFC Relationship tool to a sophisticated rat with automated transfer system (ATS) capabilities is almost unheard of,” says threat factory. “That’s why the discovery of the new Trojan Raton of threatfabric MTI analysts is especially remarkable. Raton merges traditional overlay attacks with automatic money transfers and NFC relay functionality -making it a unique strong threat.”
Raton was only gathered in early July 2025, when the latest version appeared on August 29, which means it is in active development. It works primarily as an Android bank Trojan and takes over devices and accounts. It is also targeted at cryptocurrency -draw books such as Metamask, Trust Wallet, Blockchain.com or Phantom, and can steal pins and recovery phrases.
Malware also uses Overlays to trick users and lock devices and perform automated money transfer using the George česko bank cap. As George česko is a mobile bank app in the Czech Republic, the researchers concluded that attackers are first and foremost targeting individuals in the Czech Republic and Slovakia.
Malware is distributed via Spoofed Google Play Store pages. They were created to show an adult version of the Tiktok app that hosted a malware dropper.
Once installed, asks to drop for certain permissions from the victim, including one that allows it to download apps from third -party sources. If assigned, it will insert utility steps payload and ask for additional permits, including the dreaded accessibility services.
Via Hacker the news
