New Android banking trojan silently steals money from your phone

A new Android banking trojan called RatOn can silently steal money and sensitive data by automating attacks on your device.

Banking trojans are malicious software designed to steal money, personal information, and login credentials from victims by targeting their financial apps. Over the years, Android devices have become increasingly popular targets for such threats due to their widespread use and relatively open ecosystem. Despite continuous efforts by Google to secure Android devices, attackers find clever ways to bypass protections, often using fake apps or exploiting system features. The latest dangerous development in this area is a new trojan called RatOn. It goes beyond traditional banking malware by automating the theft of money and data without your knowledge.

 

 

A person is using a phone

 

How RatOn Android malware tricks you into installing it

As reported by Threat Fabric, RatOn spreads by masquerading as a harmless adult-friendly version of TikTok, called TikTok 18+, available through fake Play Store listings. Once you install this fake app, it asks for permission to install other apps from outside the official Google Play Store. This is already a red flag because it allows the malware to bypass important security measures designed to protect your device.

After installation, RatOn asks for device administration and accessibility permissions, along with access to your contacts and system settings. These permissions enable it to fully control the device, making it possible to lock your phone, send messages, and most dangerously, interact directly with financial applications like MetaMask, Trust Wallet, Blockchain.com, and Phantom. Its ability to act as a remote access trojan means hackers can manipulate your device from afar without your knowledge.

One of the most concerning features of RatOn is that it integrates a second malicious tool called NFSkate, which performs NFC (Near Field Communication) relay attacks. Originally designed as a legitimate research tool, NFSkate can relay NFC signals to manipulate certain phone features. This combination makes RatOn a highly sophisticated threat.

A samsung phone

 

Automated money theft and ransom tactics

Unlike older banking trojans that simply stole passwords or waited for users to perform actions, RatOn can automatically transfer money out of your accounts. Once the trojan has the necessary permissions, it records key information such as your device PIN and secret phrases from cryptocurrency wallets.

RatOn can also lock your device and show fake ransom screens. These messages falsely accuse victims of viewing and distributing child pornography. They demand $200 in cryptocurrency within two hours to unlock the device. The goal is not only to extort money but also to trick users into opening their cryptocurrency apps. Once opened, the trojan silently uses the stolen PIN code to reveal secret phrases. It then steals digital assets without the user knowing.

A keylogger component records every interaction, and all sensitive data is sent back to servers controlled by the attackers. This makes it possible for hackers to access cryptocurrency accounts and transfer funds without any manual intervention.

Among its many commands, RatOn can send fake push notifications, lock the device, launch popular apps like WhatsApp and Facebook, add contacts, send SMS messages, and more. Each function is designed to make the malware more versatile and harder to detect.

A person is using a phone

 

7 ways you can stay safe from Android banking trojan

With threats like RatOn becoming more sophisticated, it is no longer enough to rely solely on basic caution when using your smartphone. Here are some steps you can take to stay safe.

 

1) Only install apps from official sources

Always download apps from the official Google Play Store and avoid third-party app stores or suspicious websites. RatOn spreads through fake Play Store listings disguised as apps like TikTok 18+, which are not legitimate. Avoid installing apps that request unnecessary permissions.

 

2) Use a reliable antivirus solution

Install strong antivirus software that actively scans for malware and suspicious behavior. Antivirus software can detect trojans like RatOn before they cause harm and help remove any detected threats.

The best way to safeguard yourself from malicious links that install malware, potentially accessing your private information, is to have strong antivirus software installed on all your devices. This protection can also alert you to phishing emails and ransomware scams, keeping your personal information and digital assets safe.

 

3) Use a password manager

A password manager helps you create strong, unique passwords for every account and stores them securely. Since RatOn targets cryptocurrency wallets and banking apps, using strong, random passwords can help prevent unauthorized access even if the device is compromised.

Next, see if your email has been exposed in past breaches. Our #1 pick, NordPass, includes a built-in breach scanner that checks whether your email address or passwords have appeared in known leaks. If you discover a match, immediately change any reused passwords and secure those accounts with new, unique credentials.

 

4) Enable two-factor authentication (2FA)

Wherever possible, enable two-factor authentication on your accounts, especially for cryptocurrency wallets and banking apps. This adds an extra layer of security by requiring not just a password but also a time-based code or biometric confirmation to access your accounts.

 

5) Protect your personal data online

A personal data removal service can help you remove your sensitive information from data broker databases that are often sold and traded online. While this does not directly prevent malware like RatOn from infecting your device, it reduces the amount of personal data available to cybercriminals for targeted attacks or identity theft. By limiting the exposure of your personal information on the internet, you make it harder for attackers to craft convincing fake apps or phishing campaigns designed to trick you into installing malicious software.

 

Is your personal information exposed online?

Run a free scan to see if your personal info is compromised. Results arrive by email in about an hour.

 

6) Review app permissions carefully

Before granting any app access to sensitive features like contacts, system settings, or accessibility services, review the permissions carefully. RatOn abuses these permissions to take control of the device. Only allow what is strictly necessary for the app’s functionality.

 

 

7) Keep your device and apps updated

Regularly install software updates for your Android operating system and apps. These updates often include important security patches that fix vulnerabilities hackers like those behind RatOn try to exploit. Running outdated software makes it easier for malware to bypass security measures and take control of your device. Keeping everything up to date ensures you have the latest protections against known threats and reduces the risk of infection.

 

Related links:

 

Kurt’s key takeaway

RatOn shows just how creative and dangerous modern Android banking trojans have become. You should always download apps only from official source. Also, be extremely cautious about granting permissions that seem excessive or unrelated to an app’s main function. Keeping your device updated with the latest security patches and using a trusted antivirus solution can help reduce the risk of infection.

Should Google do more to prevent fake apps from appearing on the Play Store? Let us know in the comments below.

FOR MORE OF MY TECH TIPS & SECURITY ALERTS, SUBSCRIBE TO MY FREE CYBERGUY REPORT NEWSLETTER HERE

 

 

Copyright 2025 CyberGuy.com. All rights reserved. CyberGuy.com articles and content may contain affiliate links that earn a commission when purchases are made.

What's Your Reaction?

like

dislike

love

funny

angry

sad

wow