New Malware “raton” Steals Banking Credentials, Enables Automatic Transfers
A new malware strain dubbed “RatOn“ is spreading via fake applications, most recently disguised as an adult version of TikTok called “Tiktok18+,” and poses a significant threat to mobile banking security. Security researchers at THREATFABRIC have linked the malware to a group called NFSKATE, who distributed the fraudulent app through domains targeting Czech and Slovak-speaking users.
RatOn infects devices through a malicious installer that requests extensive permissions – including accessibility service access, administrator privileges, and control over contacts and system configuration – allowing it to operate discreetly.
The malware employs several techniques to steal financial data, including overlay windows mimicking legitimate banking apps, interception of NFC communications for contactless payments, and a complex Automatic Transfer system (ATS). This ATS allows RatOn to initiate money transfers from bank accounts or cryptocurrency wallets once it obtains the user’s PIN or control of their banking application.
Beyond financial theft, raton can also function as ransomware, locking devices and demanding payment for their release, and as a keylogger, capturing user keystrokes. It boasts a wide range of commands, enabling it to open apps like WhatsApp, simulate screen touches, and even send screenshots of the device.
Analysts believe RatOn is a newly developed, custom-built threat, making it particularly dangerous. To protect against RatOn and similar malware, experts recommend only installing applications from official app stores, being cautious of suspicious links, carefully reviewing requested permissions, and avoiding granting administrative privileges to unknown apps.if infection is suspected, a factory reset and immediate contact with your bank to block accounts and cards are advised.
