Dangerous new RatOn Android trojan can automatically transfer money right off your phone to hackers
By Anthony Spadafora
Copyright tomsguide
Skip to main content
Tom’s Guide
Newsletters
View Profile
Search Tom’s Guide
Phone Insights
Phone Best Picks
Phone Deals
Phone Face-Offs
Phone How-Tos
Phone Reviews
Network Carriers
Android Phones
Google Phones
Motorola Phones
OnePlus Phones
Samsung Phones
Nothing Phone
TV Best Picks
TV Face-Offs
Audio Insights
Audio Best Picks
Audio Deals
Audio Face-Offs
Audio How-Tos
Audio Reviews
Over-Ear Headphones
Bluetooth Speakers
Entertainment
Streaming Devices
Prime Video
Paramount Plus
Playstation
Gaming Peripherals
Connections
Computing Insights
Computing Best Picks
Computing Deals
Computing Face-Offs
Computing How-Tos
Computing News
Computing Reviews
VPN Best Picks
VPN Face-Offs
VPN How-Tos
VPN Reviews
Operating Systems
Malware & Adware
Smart Glasses
Chromebooks
Gaming Laptops
Apple Desktops
Gaming Desktops
Android Tablets
Computing Brands
AI Insights
AI Best Picks
AI Face-Offs
Google Gemini
Apple Intelligence
Mattress Best Picks
Mattress Deals
Mattress Face-Offs
Mattress How-Tos
Mattress News
Mattress Reviews
Mattress Care
Mattress Toppers
Pillows & Bedding
Smartwatches
Fitness Trackers
Smart Rings
Apple Watch
Home Insights
Home Best Picks
Home Face-Offs
Home How-Tos
Home Reviews
Home Topics
Home Appliances
Home Office
Home Security
Home Brands
Popular Brands
View Phones
Phone Insights
Phone Best Picks
Phone Deals
Phone Face-Offs
Phone How-Tos
Phone Reviews
Network Carriers
View Network Carriers
Android Phones
View Android Phones
Google Phones
Motorola Phones
OnePlus Phones
Samsung Phones
Nothing Phone
TV Best Picks
TV Face-Offs
Audio Insights
View Audio Insights
Audio Best Picks
Audio Deals
Audio Face-Offs
Audio How-Tos
Audio Reviews
Headphones
View Headphones
Over-Ear Headphones
View Speakers
Bluetooth Speakers
Entertainment
View Entertainment
View Streaming
Streaming Devices
Prime Video
Paramount Plus
View Gaming
Playstation
Gaming Peripherals
Word Games
Connections
View Computing
Computing Insights
Computing Best Picks
Computing Deals
Computing Face-Offs
Computing How-Tos
Computing News
Computing Reviews
VPN Best Picks
VPN Face-Offs
VPN How-Tos
VPN Reviews
View Hardware
View Software
Operating Systems
View Security
Malware & Adware
View VR & AR
Smart Glasses
View Laptops
Chromebooks
Gaming Laptops
View Desktops
Apple Desktops
Gaming Desktops
View Tablets
Android Tablets
Computing Brands
AI Insights
AI Best Picks
AI Face-Offs
AI Engines
Google Gemini
Apple Intelligence
View Wellness
Mattresses
View Mattresses
Mattress Best Picks
Mattress Deals
Mattress Face-Offs
Mattress How-Tos
Mattress News
Mattress Reviews
Mattress Care
Mattress Toppers
Pillows & Bedding
View Fitness
Smartwatches
Fitness Trackers
Smart Rings
Apple Watch
Home Insights
Home Best Picks
Home Face-Offs
Home How-Tos
Home Reviews
Home Topics
Home Appliances
Home Office
Home Security
View Outdoors
Home Brands
Popular Brands
Apple Event
iPhone 17 Pro
The World in 2035
Wordle Today
Best laptops
Best Mattress
Don’t miss these
Malware & Adware
Dangerous Android banking trojan found lurking in malicious apps with 19 million installs — don’t fall for this
Malware & Adware
Godfather malware is now hijacking legitimate banking apps — and you won’t see it coming
Malware & Adware
More than 250 malicious apps are spreading info-stealing malware on Android and iOS — delete these right now
Malware & Adware
This Android malware poses as real apps to take you to dangerous sites and flood your phone with spam
Malware & Adware
200,000 passwords, credit card data and more stolen by this dangerous new malware — how to stay safe
Online Security
This new Android attack could trick you into compromising your own phone — everything you need to know
Malware & Adware
This spyware is stealing photos on iPhone and Android — protect yourself now
Online Security
Beware: Hackers are using fake credit card emails to steal all your passwords
Online Security
Millions hit in quishing attacks as malicious QR codes surge — how to stay safe
Online Security
New QR code threat can infect your phone as soon as you scan
Online Security
7 online scams that can leave you broke, exposed, and feeling helpless — how to stay safe
Malware & Adware
This Android spyware is posing as an antivirus app to steal your photos and passwords — how to stay safe
Online Security
Macs under attack from dangerous new info-stealing malware — how to stay safe
Online Security
Hackers are using fake TikTok Shops to steal money and spread malware — don’t fall for this
Online Security
FBI issues warning to all smartphone users — this dangerous new scam could be at your door
Online Security
Malware & Adware
Dangerous new RatOn Android trojan can automatically transfer money right off your phone to hackers
Anthony Spadafora
10 September 2025
Plus it uses overlay attacks to trick you into thinking your phone’s been hit with ransomware
When you purchase through links on our site, we may earn an affiliate commission. Here’s how it works.
(Image credit: Shutterstock)
Normally, when it comes to Android malware, when new strains are discovered, they often build upon a previous one. However, that’s not the case with a new Android banking trojan currently making the rounds online. Instead, it appears to be written from scratch with no code similarities to existing malware families.
As reported by The Hacker News, this new banking trojan has been dubbed RatOn by security researchers at Threat Fabric who discovered it while investigating another malware strain that uses near-field communication or NFC in its attacks to steal contactless payment info from unsuspecting Android users. The most surprising part of this new sample was the fact that it wasn’t just in a single malicious app but instead was part of a campaign involving multiple ones.
After analyzing this new campaign further, Threat Fabric found that RatOn is a fully functional banking trojan with several unique capabilities. In addition to being able to take over one of the best Android phones and the accounts on it, the banking trojan can also perform automated money transfers as well as use custom overlay attacks to trick victims into thinking their device is infected with ransomware.
You may like
Dangerous Android banking trojan found lurking in malicious apps with 19 million installs — don’t fall for this
Godfather malware is now hijacking legitimate banking apps — and you won’t see it coming
More than 250 malicious apps are spreading info-stealing malware on Android and iOS — delete these right now
Here’s everything you need to know about this new malware strain, along with some tips and tricks to keep your Android phone safe from banking trojans that can completely drain your financial accounts.
From overlays to automated money transfers
(Image credit: Shutterstock)
In order to trick potential victims into installing their malicious apps, the hackers behind this campaign registered several domains with adult themes, which they then used as a lure. Specifically, these fake sites contained “TikTok18+” in their names. However, Threat Fabric’s security researchers couldn’t find out how the hackers got their victims to go to these sites. In the past, I’ve seen hackers use phishing emails, random messages on social media and even fake ads to get people to click on links to their malicious sites.
If someone is foolish enough to sideload an adults-only version of TikTok onto their Android phone, what ends up getting installed is actually a malware dropper or third-party software installer. By tricking users into granting it the permission to install apps from unknown sources, the malware dropper is able to bypass Android’s built-in security protections. This is used to download and install the first payload, after which, the second payload and two more permissions are requested that are essential for hackers looking to commit on-device fraud: access to Accessibility services and Device Admin privilege.
Like other banking trojans, RatOn abuses Android’s Accessibility services to launch overlay attacks on an infected device. For those unfamiliar, these attacks involve hackers putting an overlay on top of popular banking and finance apps that is almost identical to a legitimate login screen. This way, the hackers can harvest a victim’s banking credentials to gain access to their accounts without their knowledge, as they just thought they were logging into one of their banking, finance or crypto wallet apps.
Sign up to get the BEST of Tom’s Guide direct to your inbox.
Get instant access to breaking news, the hottest reviews, great deals and helpful tips.
Contact me with news and offers from other Future brandsReceive email from us on behalf of our trusted partners or sponsorsBy submitting your information you agree to the Terms & Conditions and Privacy Policy and are aged 16 or over.
Another interesting thing cybercriminals deploying the RatOn malware can do is to use an overlay to make victims think their phone has been locked by hackers. Of course, to unlock it, they need to send over a large amount of money, just like with a ransomware attack. However, while their phone isn’t actually infected with ransomware, it is compromised by the RatOn banking trojan.
RatOn also requests access to read/write contacts and manage system settings to carry out its malicious activity. From there, a third payload is downloaded, which is actually the NFSkate malware Threat Fabric was initially looking into. By using a technique known as Ghost Tap, NFSkate can carry out NFC relay attacks and steal contactless payment info. However, with that malware strain, these attacks needed to be carried out in person within physical range of a targeted Android phone.
Now, with RatOn, this new malware can perform automated money transfers (ATS) by abusing Android’s Accessibility services. This means that hackers deploying this malware in their attacks can drain your financial accounts from anywhere in the world, as they don’t need to be in the same room with you.
How to stay safe from banking trojans
(Image credit: Google)
The good news here is that at the moment, RatOn is only being used to target Android users in the Czech Republic. However, like with any Android malware strain, that geographic location could just be a testing ground to make sure it works before the malware’s creators begin targeting Android phones in other countries like the U.S. or the U.K.
I’ll be keeping a close eye on RatOn and how this new Android malware strain develops, but in the meantime, here are a few tips and tricks to help keep your phone (and your bank account) safe from dangerous trojans.
For starters, you never want to sideload Android apps unless you absolutely have to. Instead, you want to download all of your new apps from official app stores like the Google Play Store and the Samsung Galaxy Store. Google will soon prevent users from sideloading altogether with the next version of Android, but for now, you should avoid doing so even if it seems like a convenient way to put new apps on your phone.
When it comes to new apps, you want to be very careful when installing them, as even good apps can go bad. This is why I highly recommend limiting the number of apps on your phone overall and then, if you find you haven’t used a particular app for quite some time, it’s best to just delete it.
To stay safe from malicious apps, you want to make sure that Google Play Protect is enabled on your phone. This free, built-in security software scans all of your existing apps, along with any new ones you download, for malware or other signs of malicious activity. For extra protection, you may also want to run one of the best Android antivirus apps alongside it.
Hackers aren’t slowing down anytime soon, and there are constantly new malware strains and banking trojans like RatOn you need to look out for. However, if you practice good cyber hygiene, avoid clicking on links from unknown senders and don’t sideload apps you’ve found on less-than-reputable sites, you should be safe.
Follow Tom’s Guide on Google News to get our up-to-date news, how-tos, and reviews in your feeds. Make sure to click the Follow button.
More from Tom’s Guide
PayPal users under attack from sophisticated new phishing scam — don’t fall for this
Plex users need to change their passwords — there’s been another breach
Macs under attack from ‘cracked’ apps spreading dangerous info-stealing malware
Today’s best Bitdefender Mobile Security deals
Bitdefender Mobile Security
at Bitdefender
See more Computing News
Anthony Spadafora
Social Links Navigation
Managing Editor Security and Home Office
Anthony Spadafora is the managing editor for security and home office furniture at Tom’s Guide where he covers everything from data breaches to password managers and the best way to cover your whole home or business with Wi-Fi. He also reviews standing desks, office chairs and other home office accessories with a penchant for building desk setups. Before joining the team, Anthony wrote for ITProPortal while living in Korea and later for TechRadar Pro after moving back to the US. Based in Houston, Texas, when he’s not writing Anthony can be found tinkering with PCs and game consoles, managing cables and upgrading his smart home.
You must confirm your public display name before commenting
Please logout and then login again, you will then be prompted to enter your display name.
Dangerous Android banking trojan found lurking in malicious apps with 19 million installs — don’t fall for this
Godfather malware is now hijacking legitimate banking apps — and you won’t see it coming
More than 250 malicious apps are spreading info-stealing malware on Android and iOS — delete these right now
This Android malware poses as real apps to take you to dangerous sites and flood your phone with spam
200,000 passwords, credit card data and more stolen by this dangerous new malware — how to stay safe
This new Android attack could trick you into compromising your own phone — everything you need to know
Latest in Malware & Adware
Macs under attack from ‘cracked’ apps spreading dangerous info-stealing malware — don’t fall for this
Google wants to fight Android malware by making sideloading more difficult — here’s how
Dangerous Android banking trojan found lurking in malicious apps with 19 million installs — don’t fall for this
Booking.com phishing scam is infecting users with malware by using lookalike URLs — don’t fall for this
This Android spyware is posing as an antivirus app to steal your photos and passwords — how to stay safe
200,000 passwords, credit card data and more stolen by this dangerous new malware — how to stay safe
Latest in News
Dangerous new RatOn Android trojan can automatically transfer money right off your phone to hackers
MacBook Pro OLED tipped to launch next year and it could sport a Samsung display
Forget iPhone 17 Pro — that A19 Pro chip needs to be in a MacBook like yesterday
5 best new to Hulu movies with 90% or higher on Rotten Tomatoes
Netflix drops first trailer for Blumhouse’s docuseries ‘Nightmares of Nature’ — and it’s my most anticipated Halloween watch
iPhone Air announced — thinnest iPhone ever, specs, features, size, colors and all the upgrades
LATEST ARTICLES
iPhone Air vs iPhone 17 Pro vs Pro Max: Which new iPhone should you buy?
Apple Watch 11 — 5 reasons I’d buy the new Series 11, and 2 reasons I’d skip it
Forget iPhone 17 Pro — that A19 Pro chip needs to be in a MacBook like yesterday
Dangerous new RatOn Android trojan can automatically transfer money right off your phone to hackers
I’ve already streamed all 6 episodes of Prime Video’s new psychological thriller — and it’s a dark, twisty series that’ll have you hooked
Tom’s Guide is part of Future US Inc, an international media group and leading digital publisher. Visit our corporate site.
Terms and conditions
Contact Future’s experts
Privacy policy
Cookies policy
Accessibility Statement
Advertise with us
Future US, Inc. Full 7th Floor, 130 West 42nd Street,
Please login or signup to comment
Please wait…
