Skip to content

The Rise of RatOn From NFC heists to remote control and ATS #1396

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
wants to merge 1 commit into
base: master
Choose a base branch
from
Open

The Rise of RatOn From NFC heists to remote control and ATS #1396

wants to merge 1 commit into from

Conversation

carlospolop
Copy link
Collaborator

🤖 Automated Content Update

This PR was automatically generated by the HackTricks News Bot based on a technical blog post.

📝 Source Information

🎯 Content Summary

What was found
ThreatFabric describes RatOn, a newly observed Android banking trojan (first build: July 5, 2025; latest: August 29, 2025) that blends RAT-style remote control, overlay phishing/ransom, Automated Transfer System (ATS) for a Czech banking app (George Česko), cryptocurrency wallet takeover, and orchestration of the NFSkate NFC-relay malware. Campaign lures used adult-themed domains ("TikTok18+") aimed at Czech/Slovak speakers.

Multi‑stage architecture and cons...

🔧 Technical Details

WebView→native installation bridge: Embed a WebView pointing to an attacker‑controlled page and expose a native installer function (e.g., installApk) via JS interface. A victim’s tap on an HTML button triggers APK install from app assets, then launches the payload by explicit package/activity, bypassing Play Protect flows while preserving a user‑consent façade.

Accessibility‑driven UI automation: After obtaining Accessibility, enumerate nodes (text/roles/bounds) and synthesize clicks/text/swipes to accept further prompts, navigate banking/crypto UIs, type confirmation PINs, and stream a text‑based pseudo‑screen to C2 for low‑latency, low‑bandwidth remote control.

Overlay phishing/ransom: Render HTML overlays via WebView, either from a provided URL or inline HTML. Use templates (multi‑language) to coerce actions (e.g., opening crypto apps), harvest unlock PINs, or demand payment; request overlay permission programmatically if absent.

ATS play...

🤖 Agent Actions

I analyzed the ThreatFabric RatOn research and updated HackTricks with the reusable techniques and patterns it describes, fitting them into the most relevant existing pages. I also read and reviewed multiple related files to ensure proper placement and style consistency.

What I read to find the right place

  • src/generic-methodologies-and-resources/phishing-methodology/README.md
  • src/generic-methodologies-and-resources/phishing-methodology/mobile-phishing-malicious-apps.md
  • src/generic-methodologies-and-resources/phishing-methodology/tapjacking.md (via: src/mobile-pentesting/android-app-pentesting/tapjacking.md)
  • src/mobile-pentesting/android-app-pentesting/accessibility-services-abuse.md
  • src/mobile-pentesting/android-app-pentesting/android-applications-basics.md
  • src/mobile-pentesting/android-checklist.md

Key gaps identified and updates made

  1. Mobile Phishing & Malicious App Distribution (Android & iOS)
  • File: src/generic-methodologies-and-resources/phishing-methodology/mobile-phishing-malicious-apps.md
  • What was missing:
    • WebView→native JavaScript bridge used by droppers to install stage-2 APKs from assets via Package Installer Session API.
    • Accessibility + Device Admin consent funnel in malware post-install, including programmatic overlay permission handling.
    • Overlay phishing/ransom via WebView with both URL-based and inline HTML templates.
    • Remote-control model combining text pseudo-screen (Accessibility dumps) and MediaProjection streaming.
    • ATS automation playbook: locale-aware text matching, coordinate fallbacks, example JSON transfer task, limit manipulation.
    • Crypto wallet seed extraction flows (MetaMask/Trust/Blockchain.com/Phantom) with multi-lingual selectors.
    • Device Admin coercion primitives (lockNow, expire password, disable keyguard biometrics).
    • NFC relay orchestration (NFSkate) as a third stage.
    • Focused detection and hunting notes for this TTP set.
  • Changes implemented:
    • Added a new subsection: “Android Accessibility/Overlay & Device Admin Abuse, ATS automation, and NFC relay orchestration – RatOn case study.”
    • Included Java code snippets for:
      • addJavascriptInterface-based dropper that installs payload from assets and launches it.
      • Overlay permission request.
      • DevicePolicyManager primitives used in abuse.
    • Added an example JSON transfer task and the CZ→EN UI strings observed in ATS flows.
    • Added internal reference to the “Android Accessibility Service Abuse” page.
    • Updated “References” with the RatOn blog and NFSkate background.
  • Tool action:
    • modify_file on src/generic-methodologies-and-resources/phishing-methodology/mobile-phishing-malicious-apps.md
  1. Android Accessibility Service Abuse
  • File: src/mobile-pentesting/android-app-pentesting/accessibility-services-abuse.md
  • What was missing:
    • Concrete ATS automation helpers and a locale-aware example flow (Czech bank app).
    • Text-based pseudo-screen streaming pattern from Accessibility node tree (low-bandwidth control).
    • Device Admin coercion primitives with example code.
    • Crypto wallet seed extraction playbook.
    • NFC relay orchestration tie-in.
  • Changes implemented:
    • Added “ATS automation cheat-sheet (Accessibility-driven)” with helper code (find by text, click, set text, gesture fallback).
    • Added “Text-based pseudo-screen streaming” with a tree-dump example.
    • Added “Device Admin coercion primitives” with DevicePolicyManager examples.
    • Added “Crypto wallet seed-phrase extraction patterns” and “NFC-relay orchestration” sections.
    • Updated “References” with RatOn and NFSkate posts.
  • Tool action:
    • modify_file on src/mobile-pentesting/android-app-pentesting/accessibility-services-abuse.md

Why this placement

  • The requested section is in Phishing Methodology > Mobile Phishing & Malicious Apps. RatOn’s distribution and post-install consent funnel + overlay misuse naturally fit there, so I added a focused case-study subsection with code and TTP abstractions.
  • The deeper offensive mechanics (ATS automation via Accessibility, text-based pseudo-screens, Device Admin coercion, wallet seed flows) belong to the Android app pentesting area, so I augmented the Accessibility Service Abuse page with hands-on code/primitives and references.

References added

  • The Rise of RatOn: From NFC heists to remote control and ATS (ThreatFabric)
  • GhostTap/NFSkate – NFC relay cash-out tactic (ThreatFabric)

No new files were needed; existing pages were the correct fit and already had the right audience and structure.

Technical changes applied (tool log)

  • Updated src/generic-methodologies-and-resources/phishing-methodology/mobile-phishing-malicious-apps.md with a new RatOn TTPs subsection, code examples, internal reference to Accessibility abuse page, and extended references.
  • Updated src/mobile-pentesting/android-app-pentesting/accessibility-services-abuse.md with ATS helpers, pseudo-screen streaming snippet, Device Admin coercion samples, wallet seed extraction patterns, NFC relay orchestration, and augmented references.

If you want me to also add a short cross-link from the Tapjacking page toward this RatOn subsection (to centralize overlay abuse variants), I can do that, but it’s optional since the Accessibility page now contains the deep mechanics and the phishing page contains the campaign TTPs.

This PR was automatically created by the HackTricks Feed Bot. Please review the changes carefully before merging.

🗑️ File Cleanup

  • searchindex.js removed: This auto-generated file has been removed to prevent conflicts.

Add content from: The Rise of RatOn: From NFC heists to remote contro…
194eca8 
…l and ATS

- Remove searchindex.js (auto-generated file)
@carlospolop
Copy link
Collaborator Author

🔗 Additional Context

Original Blog Post: https://www.threatfabric.com/blogs/the-rise-of-raton-from-nfc-heists-to-remote-control-and-ats

Content Categories: Based on the analysis, this content was categorized under "Generic Methodologies & Resources > Phishing Methodology > Mobile Phishing Malicious Apps (add a subsection: Android Accessibility/Overlay & Device Admin Abuse, ATS automation, and NFC relay orchestration - RatOn case study)".

Repository Maintenance:

  • MD Files Formatting: 876 files processed

Review Notes:

  • This content was automatically processed and may require human review for accuracy
  • Check that the placement within the repository structure is appropriate
  • Verify that all technical details are correct and up-to-date
  • All .md files have been checked for proper formatting (headers, includes, etc.)

Bot Version: HackTricks News Bot v1.0

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
No reviews
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
1 participant
@carlospolop