The new banking Trojan Raton combines automatic transfers, NFC attacks and ransomware functions for a dangerous threat to Android users in Central Europe.
A highly developed Android malware called “Raton” provides security experts on alert. The new remote access trojan combines automatic transfers, NFC attacks and ransomware functions into a particularly dangerous tool for cyber criminals.
Discovered for the first time on July 5, 2025, the malware shows continuous further development and is currently aiming at users in Central Europe. But experts warn: a global spread is only a matter of time.
The malware mainly spreads through fake “Tiktok 18+” apps on imitation Google Play Store sites. These bait tempt unsuspecting users to install the supposed adult versions of popular apps.
Display: Speaking of Android malware: If you want to secure your smartphone, you should know the most important adjustment screws. Many Android users overlook these 5 measures-they reliably protect WhatsApp, Online-Banking and Wallets from data thieves. The free guide shows all steps easily understandable, without any additional apps. Secure the free security package for Android now
Refined infection chain in three stages
Table of Contents
Raton relies on a multi -stage infiltration strategy. The original dropper app is wrong to receive far-reaching authorizations-in particular access to Android’s operating aids. These services actually developed for people with disabilities are a popular destination for malware because you can read screen contents and perform automatic actions.
After justification, the dropper installs a second Payoad. This provides device admin rights and finally invites the final Raton version-sometimes also referred to as the “NFSKATE”.
The result? The attackers can stream the screen, block the device, change system settings and target apps for fraudulent activities. Particularly explosive: The malware was completely newly developed and does not share a code with well-known banking trojans.
Attack on digital wallets
Raton’s main goal is simple: stealing money. The malware targets popular crypto wallets such as Metamask, Trust Wallet, Blockchain.com and Phantom. In traditional banks, it has already demonstrated automatic transfers via the Czech George Česko Banking app.
The most dangerous feature is that Automated Transfer System (ATS). Malware Banking apps, navigated by menus, start stolen pins by abuse of the operating aids and carries out transfers on perpetrators-completely unnoticed by the victim. In addition, Raton uses classic overlay attacks with fake login masks.
Display: While criminal ATS and overlays take advantage of, a clean basic setting is often sufficient to prevent the damage. The free security package explains step by step how to optimally configure permissions, play protect, updates and lock screen – including checklist for safe banking and crypto wallet. Ideal for beginners, without any technical knowledge. Request free Android security guides by e -mail
More than just theft
Raton is not limited to direct financial theft. The malware can show ransomware-like overlay screens that accuse the user of viewing illegal content. Supposedly, law enforcement agencies have blocked the phone-only a payment of around $ 200 in cryptocurrency could unlock it again.
Perfidious: This panic tactic is intended to make sacrifices to open crypto apps, which means that the malware pins or seed phrases can tackle.
In addition, Raton masters NFC relay attacks. The infected telephone is misused as a middleman for fraudulent contactless transactions. In this way, attackers can authorize payments with the victim’s stored card data at payment terminals or ATMs.
New dimension of mobile threats
The security company Threatfabric emphasizes: “The automatic transfer features show that the attackers know the internals of the target apps very well.” This depth of knowledge enables more effective and more difficult attacks.
Raton’s current focus on Czech and Slovakian-speaking users indicates a targeted starting campaign. However, the modular architecture allows problem -free adaptation to other regions and financial institutions.
Protection against the threat
Experts recommend the following protective measures:
- No Sideloads: Only install apps from the official Google Play Store
- Check permissions: Particularly critical in operating aids or device administrator rights
- Activate Google Play Protect: Use the integrated Android security function
- Mobile security software: Additional protection by antivirus apps
- Install updates: Always keep the operating system and apps up to date
Since the Raton developers are actively working on new features, security experts expect an expansion of the goals and functions. Vigilance remains the best defense against this new generation of mobile threats.
