When a new strain of Android malware appears, it’s just an evolution of an existing family, borrowing code and tactics from what came before. This time, though, researchers have found something different. A new banking trojan named RatOn has surfaced, and it’s been written entirely from scratch with no code similarities to known malware. That makes it harder to detect and potentially more dangerous than other trojans currently in circulation.

The discovery was made by Threat Fabric while analyzing another malware strain that uses near-field communication (NFC) to steal contactless payment information. What surprised researchers was that RatOn wasn’t confined to a single malicious app. Instead, it was part of a wider campaign involving multiple apps, which suggests that its operators are preparing for large-scale distribution.

RatOn is not just a simple malware sample. It is a fully developed banking trojan with powerful features. It can take control of Android devices and the accounts linked to them, perform automated money transfers (ATS), and launch overlay attacks that make users believe their phones are infected with ransomware. In short, it combines stealth, deception, and automation in ways that could allow hackers to drain victims’ financial accounts quickly and remotely.

TL;DR

RatOn is a newly discovered Android banking trojan that can drain bank accounts using automated transfers, steal credentials with fake overlays, and even mimic ransomware lock screens. Built from scratch, it is currently spreading through multiple malicious apps. To stay safe, avoid sideloading, stick to official app stores, keep Google Play Protect enabled, and consider antivirus protection.

How RatOn Spreads

RatOn isn’t just hidden in a single rogue app. Instead, it’s part of a broader malware campaign designed to trap unsuspecting Android users through multiple malicious apps. The hackers behind it registered adult-themed domains, many using names such as “TikTok18+,” and used these as bait. The promise of exclusive or restricted content was enough to lure users into downloading apps outside of official app stores.

When victims sideload these apps, they unknowingly install a malware dropper—a type of installer designed to bypass Android’s built-in security checks. This dropper then requests extensive permissions, including the right to install apps from unknown sources, access Accessibility services, and assume Device Admin privileges. Once those permissions are granted, the attackers gain deep control of the device.

From there, RatOn begins downloading additional components to extend its functionality. One of these is NFSkate, another malware strain that Threat Fabric had been investigating. NFSkate is capable of carrying out NFC relay attacks, which can steal contactless payment information from targeted devices. In previous cases, this kind of attack required criminals to be physically close to their victims. But with RatOn combining automated transfers and overlays, attackers can operate from anywhere, making the threat far more widespread.

Why RatOn Is Dangerous

What makes RatOn stand out from other Android malware is the way it combines automation, deception, and remote access. Many banking trojans rely on stolen credentials or local attacks, but RatOn goes much further. Its ability to perform automated money transfers means that hackers can quietly move money from a victim’s bank account without requiring them to log in or approve transactions. Once the malware is installed, attackers can act independently, making the theft almost invisible until it’s too late.

The use of overlay attacks adds another layer of danger. These overlays look almost identical to legitimate banking or finance apps, which means even cautious users can be tricked into entering their details. Once captured, those credentials give criminals direct access to accounts from anywhere in the world. Unlike earlier threats such as NFSkate, which relied on close physical proximity for NFC attacks, RatOn’s tactics allow hackers to operate globally.

On top of this, RatOn employs fear to pressure victims into compliance. By simulating a ransomware lock screen, it convinces users that their device has been hijacked. While the phone isn’t truly encrypted, the illusion is powerful enough to make many people send money in a panic. This mix of financial theft and psychological manipulation makes RatOn especially dangerous, because it exploits both technology and human behavior.

Researchers warn that RatOn’s design suggests it is not just an experimental strain but a fully developed banking trojan built for scale. Even though it is currently active only in the Czech Republic, it has the potential to spread widely and cause serious damage if deployed in larger regions such as the U.S. or U.K.

How to Protect Your Device

The good news is that while RatOn is sophisticated, protecting yourself from it doesn’t require advanced technical skills. Here are a few precautions Android users can take.

The most important step is to avoid sideloading apps. Many users are tempted to install apps from third-party websites, especially if they promise exclusive features or content. But this is exactly how RatOn spreads. By sticking to official sources such as the Google Play Store or Samsung Galaxy Store, you greatly reduce the risk of infection.

It’s also important to keep Google Play Protect turned on. This built-in feature automatically scans apps on your device and any new apps you download, flagging anything that looks suspicious. While it’s not perfect, it provides a first line of defense against malware. For an added layer of safety, you can also install a trusted Android antivirus app, which can catch threats that slip through other protections.

Another simple but effective practice is to limit the number of apps on your phone. The more apps you install, the greater the attack surface. If you notice apps you haven’t used in a long time, uninstall them. Fewer apps mean fewer opportunities for malware to hide.

Finally, stay alert when browsing online. Avoid clicking on links from unknown senders, whether they arrive by email, text, or social media. Hackers often rely on curiosity or urgency to get users to click. By pausing and verifying before you act, you can block many attacks before they begin.

Practicing these habits consistently makes it much harder for threats like RatOn to take hold. While no system is completely immune, strong digital hygiene goes a long way toward keeping your phone—and your financial accounts—safe.

Quick FAQs

What is RatOn malware?
RatOn is a newly discovered Android banking trojan built from scratch. It can drain bank accounts with automated transfers, steal credentials through overlays, and imitate ransomware screens.

How does RatOn spread?
It spreads through malicious apps downloaded from fake adult-themed websites, many disguised as “TikTok18+.” Victims are tricked into sideloading these apps, which then install the malware.

Can RatOn steal money remotely?
Yes. By abusing Android’s Accessibility services, RatOn can perform automated money transfers (ATS) from anywhere in the world without needing the victim’s involvement.

Where is RatOn active now?
So far, it has been detected in the Czech Republic, but experts believe this may just be a testing ground before wider attacks.

How can I protect myself?
Avoid sideloading apps, download only from official app stores, enable Google Play Protect, uninstall unused apps, and consider using a reputable Android antivirus.

Key Takeaways

• RatOn is a new Android banking trojan written entirely from scratch, making it harder to detect.
• It combines automated money transfers, overlay credential theft, and fake ransomware screens to maximize impact.
• The malware spreads through malicious apps on fake TikTok18+ websites, tricking users into sideloading.
• Currently active in the Czech Republic, RatOn is likely to spread to larger regions soon.
• The best defense is avoiding sideloading, sticking to official app stores, enabling Google Play Protect, and using antivirus protection.