Normally, when it comes to Android malware, when new strains are discovered, they often build upon a previous one. However, that’s not the case with a new Android banking trojan currently making the rounds online. Instead, it appears to be written from scratch with no code similarities to existing malware families.
As reported by The Hacker News, this new banking trojan has been dubbed RatOn by security researchers at Threat Fabric who discovered it while investigating another malware strain that uses near-field communication or NFC in its attacks to steal contactless payment info from unsuspecting Android users. The most surprising part of this new sample was the fact that it wasn’t just in a single malicious app but instead was part of a campaign involving multiple ones.
After analyzing this new campaign further, Threat Fabric found that RatOn is a fully functional banking trojan with several unique capabilities. In addition to being able to take over one of the best Android phones and the accounts on it, the banking trojan can also perform automated money transfers as well as use custom overlay attacks to trick victims into thinking their device is infected with ransomware.
Here’s everything you need to know about this new malware strain, along with some tips and tricks to keep your Android phone safe from banking trojans that can completely drain your financial accounts.
From overlays to automated money transfers
In order to trick potential victims into installing their malicious apps, the hackers behind this campaign registered several domains with adult themes, which they then used as a lure. Specifically, these fake sites contained “TikTok18+” in their names. However, Threat Fabric’s security researchers couldn’t find out how the hackers got their victims to go to these sites. In the past, I’ve seen hackers use phishing emails, random messages on social media and even fake ads to get people to click on links to their malicious sites.
If someone is foolish enough to sideload an adults-only version of TikTok onto their Android phone, what ends up getting installed is actually a malware dropper or third-party software installer. By tricking users into granting it the permission to install apps from unknown sources, the malware dropper is able to bypass Android’s built-in security protections. This is used to download and install the first payload, after which, the second payload and two more permissions are requested that are essential for hackers looking to commit on-device fraud: access to Accessibility services and Device Admin privilege.
Like other banking trojans, RatOn abuses Android’s Accessibility services to launch overlay attacks on an infected device. For those unfamiliar, these attacks involve hackers putting an overlay on top of popular banking and finance apps that is almost identical to a legitimate login screen. This way, the hackers can harvest a victim’s banking credentials to gain access to their accounts without their knowledge, as they just thought they were logging into one of their banking, finance or crypto wallet apps.
Another interesting thing cybercriminals deploying the RatOn malware can do is to use an overlay to make victims think their phone has been locked by hackers. Of course, to unlock it, they need to send over a large amount of money, just like with a ransomware attack. However, while their phone isn’t actually infected with ransomware, it is compromised by the RatOn banking trojan.
RatOn also requests access to read/write contacts and manage system settings to carry out its malicious activity. From there, a third payload is downloaded, which is actually the NFSkate malware Threat Fabric was initially looking into. By using a technique known as Ghost Tap, NFSkate can carry out NFC relay attacks and steal contactless payment info. However, with that malware strain, these attacks needed to be carried out in person within physical range of a targeted Android phone.
Now, with RatOn, this new malware can perform automated money transfers (ATS) by abusing Android’s Accessibility services. This means that hackers deploying this malware in their attacks can drain your financial accounts from anywhere in the world, as they don’t need to be in the same room with you.
How to stay safe from banking trojans
The good news here is that at the moment, RatOn is only being used to target Android users in the Czech Republic. However, like with any Android malware strain, that geographic location could just be a testing ground to make sure it works before the malware’s creators begin targeting Android phones in other countries like the U.S. or the U.K.
I’ll be keeping a close eye on RatOn and how this new Android malware strain develops, but in the meantime, here are a few tips and tricks to help keep your phone (and your bank account) safe from dangerous trojans.
For starters, you never want to sideload Android apps unless you absolutely have to. Instead, you want to download all of your new apps from official app stores like the Google Play Store and the Samsung Galaxy Store. Google will soon prevent users from sideloading altogether with the next version of Android, but for now, you should avoid doing so even if it seems like a convenient way to put new apps on your phone.
When it comes to new apps, you want to be very careful when installing them, as even good apps can go bad. This is why I highly recommend limiting the number of apps on your phone overall and then, if you find you haven’t used a particular app for quite some time, it’s best to just delete it.
To stay safe from malicious apps, you want to make sure that Google Play Protect is enabled on your phone. This free, built-in security software scans all of your existing apps, along with any new ones you download, for malware or other signs of malicious activity. For extra protection, you may also want to run one of the best Android antivirus apps alongside it.
Hackers aren’t slowing down anytime soon, and there are constantly new malware strains and banking trojans like RatOn you need to look out for. However, if you practice good cyber hygiene, avoid clicking on links from unknown senders and don’t sideload apps you’ve found on less-than-reputable sites, you should be safe.
Follow Tom's Guide on Google News to get our up-to-date news, how-tos, and reviews in your feeds. Make sure to click the Follow button.
More from Tom's Guide
- PayPal users under attack from sophisticated new phishing scam — don't fall for this
- Plex users need to change their passwords — there’s been another breach
- Macs under attack from ‘cracked’ apps spreading dangerous info-stealing malware
You must confirm your public display name before commenting
Please logout and then login again, you will then be prompted to enter your display name.
