Rapid Response: Zimperium’s Full Detection for RatOn — NFC Heists, Remote Control, and Automated Transfers

ThreatFabric has recently revealed RatOn, a groundbreaking Android malware campaign that fuses NFC relay attacks, overlay-based phishing, and remote access trojan (RAT) capabilities with an Automated Transfer System (ATS)—a combination seldom seen in the threat landscape. 

RatOn’s methodology is particularly alarming. Delivered via adult-themed malicious domains disguised as third-party installers targeting Czech and Slovak users, the dropper silently installs the RAT by prompting users to bypass standard Android safeguards. Once operational, RatOn abuses Accessibility Services and Device Admin privileges to remain hidden while performing powerful actions, including automated fraudulent transfers using overlay interfaces, real-time control of banking and crypto wallet apps, and even device locking for ransom scenarios. 

This Trojan targets both cryptocurrency wallets—including MetaMask, Trust, Blockchain.com, and Phantom—and a Czech banking application, enabling seamless account takeovers and executed transfers. In some cases, attackers choose between traditional graphical screen cast methods or resource-efficient text-based interfaces (“pseudo-screens”) for remote control. 

Zimperium’s Mobile Threat Defense (MTD)  and Mobile Runtime Protection (zDefend) detect 100% of the publicly available samples shared in the original analysis with high accuracy and in a zero-day fashion through our on-device dynamic detection engine. 

Why This Matters: RatOn is a rare synthesis of multiple attack vectors—NFC relay, overlay phishing, RAT functionality, and automated fraudulent transfers—packed into one highly adaptable banking Trojan. The use of NFC heists combined with ATS and remote control enables attackers to stage highly effective, near-immediate fraud operations while staying stealthy.

Organizations operating in or serving users in Eastern Europe—especially Czech and Slovak markets—should be on high alert. Any exposure to NFC functionality, banking apps, or crypto wallets now demands rigorous mobile defense solutions that can:

• Block overlay-based phishing attempts,
• Detect misuse of Accessibility and Device Admin permissions,
• Identify automated fraudulent operations on-device, and
• Prevent real-time RAT activity without relying on cloud components.

Zimperium remains at the forefront of defending mobile ecosystems against complex, multi-faceted threats like RatOn by combining proactive threat hunting, real-time behavioral ML detection, and continuous updates to IOC coverage.

For a deeper breakdown of RatOn’s capabilities, read the full report here.