A new Android malware strain called RatOn has rapidly evolved from a tool limited to NFC relay attacks into a sophisticated remote access trojan with the ability to steal banking credentials, hijack cryptocurrency wallets, and even lock users out of their phones with ransom-style screens. Researchers warn the malware is under active development and combines multiple attack methods rarely seen together in one mobile threat.
How It Spreads
RatOn is being distributed through fake websites designed to look like the Google Play Store. Some of these pages advertise an adult-themed version of TikTok called “TikTok 18+.” Once victims install the dropper app, it requests permission to install software from unknown sources, bypassing Android’s built-in safeguards. The second-stage payload then seeks administrator and accessibility permissions, along with access to contacts and system settings, giving it deep control of the device. From there, RatOn can download an additional component called NFSkate, a modified version of the NFCGate tool, enabling advanced relay attacks known as “ghost taps.”
Capabilities and Tactics
The trojan’s abilities are wide-ranging:
1. Overlays and ransomware screens: RatOn can display fake login pages to steal credentials or lock the device with alarming ransom notes. Some overlays falsely accuse users of viewing child exploitation content and deman
[…]
Content was cut in order to protect the source.Please visit the source for the rest of the article.
Read the original article: