At TecnetOne, we’re warning about a new and dangerous threat targeting Android users: RatOn, a highly sophisticated new trojan that disguises itself as a legitimate app. Once installed, it can take control of the phone, steal personal data, make automatic money transfers, and even lock the device, mimicking ransomware behavior.
This malware is already present in several Central European countries. However, all signs point to its expansion into other regions, including Latin America, being only a matter of time.
How Does RatOn Work on Android and Why Is It So Dangerous?
RatOn doesn’t advertise itself or trigger visible alerts. It appears as an appealing app, with eye-catching names like a supposed “TikTok18+,” and once installed, it takes full control of the phone. From that moment on, it can spy on your activity, steal personal information, perform automatic bank transfers, and even completely lock your device.
The attack begins silently, as is the case with many of the most sophisticated malware types. It starts when the user downloads a fake app (known as a dropper), which actually functions as the virus installer. Once executed, RatOn downloads its malicious payload and activates in the background, without raising suspicion.
Its first step is to request key permissions in the Android operating system, such as:
-
Access to accessibility services
-
System administrator privileges
-
Reading and modifying contacts
-
Control over system settings
With these permissions, RatOn can alter critical phone functions without the user noticing. And since many of these apps are disguised as useful tools or “premium” versions of popular apps, they often go unnoticed. Have you ever downloaded an app that seemed too good to be true? That’s usually where the problem begins.
Malicious App Disguised as "TikTok 18+"
Techniques Used by RatOn to Operate Undetected
What makes RatOn especially dangerous isn’t just how easily it installs itself, but the set of advanced techniques it uses to steal information, money, and take control of the device. Its main capabilities include:
-
Fake Screen Overlays: RatOn creates screens that perfectly mimic the interface of legitimate apps, such as banking or digital wallet apps. This way, when you enter your login details, you're actually sending them to the malware.
-
NFC and ATS Control: This trojan can intercept proximity payments via NFC and uses a system called ATS (Automatic Transfer System). If it gains access to your banking app or PIN, it can make transfers without any user interaction—from both bank accounts and cryptocurrency wallets.
-
Ransomware-Like Functionality: RatOn can also behave like ransomware, completely locking the device and demanding a payment to unlock it.
-
Keylogging: It records everything you type on your device—from passwords to personal messages—allowing it to collect sensitive data without needing direct access to your apps.
-
Touch Simulation and Remote Control: The malware can open apps like WhatsApp, simulate taps on the screen, and watch what you do in real time—all remotely.
Key Permissions and Functions Used by RatOn
To better understand the scope of this trojan, here’s a table summarizing the main permissions it requests and the actions they allow it to perform:
| Permission or Technique | What It Allows |
|---|---|
| Accessibility Service | Full control of the device without the user noticing |
| Administrator Privileges | Prevent uninstallation and modify system settings |
| Remote Commands | Open apps, simulate interactions, and monitor the device in real time |
Why Is RatOn Such a Serious Threat?
Because it doesn’t need you to click on a suspicious link or confirm anything unusual. Simply installing a disguised app is enough for it to gain full access to your phone. From there, it can mimic your actions, move money from your accounts, lock your device, or quietly spy on you without being noticed.
And if it manages to access your banking apps or cryptocurrency wallets, the risk of a complete theft of funds or digital assets is extremely high.
RatOn is a clear example of how cybercriminals are perfecting their methods to deceive users and take control of their devices undetected. That’s why the best defense is prevention.
Read more: Cybersecurity in Schools: How to Protect Students
How Is RatOn Distributed?
RatOn doesn’t spread like an ordinary virus. To sneak into your phone, it disguises itself as appealing apps specifically designed to grab your attention.
Once you’re tricked into downloading the decoy app, it starts requesting permissions that seem normal—like access to accessibility services or system functions. All of this happens subtly, without raising suspicion, but it’s what allows RatOn to take full control of your device.
Here’s a key point: who hasn’t come across links to “special versions” of popular apps? This is a classic social engineering technique that still works because it plays on curiosity or the idea of getting exclusive access to something that doesn’t actually exist.
Furthermore, technical analysis shows that the domains hosting this fake app were targeting users in the Czech Republic and Slovakia, suggesting that attackers are also tailoring their campaigns by language and region. This reminds us that simply “being cautious” isn’t enough—you need to carefully check every permission and every download source.
How to Protect Your Android Phone and Avoid Traps Like RatOn
In these cases, prevention is everything. It’s not about being paranoid, but about applying basic best practices that can save you a lot of trouble. Before installing anything on impulse, pause and check these key points:
-
Download apps only from official stores: Avoid installing APKs from unknown sites or links received via WhatsApp, SMS, or social media. Google Play and other official stores have filters that help reduce this kind of risk.
-
Be wary of apps that promise “more than usual”: Apps like “TikTok18+,” modified versions of Instagram, or WhatsApp with hidden features are often just bait. If it sounds too good to be true, it probably is.
-
Carefully review the permissions requested: Pay special attention to accessibility, system admin, contact access, or settings modification permissions. If an unknown app asks for all that, it's a big red flag.
-
Don’t grant administrator privileges to just any app: This permission gives near-total control of the device. If it’s not a trusted app (with a good reputation in the official store), don’t grant it under any circumstances.
-
Watch for signs of strange behavior: Do floating windows appear that shouldn't be there? Does your phone lock up on its own or respond slowly? Notice any unusual activity in your bank account? If so, it’s best to do a factory reset and immediately notify your bank to block cards or accounts.
-
Common sense above all: Attackers rely on you accepting without reading. If something feels off or out of place, don’t take unnecessary risks. Better to stop and check than regret it later.
What to Do If You Think Your Phone Has Been Infected by RatOn
If you’ve installed a suspicious app—like the fake “TikTok18+” or any other from a questionable source—act fast. Here are the most effective steps to minimize damage:
-
Factory reset your phone as soon as possible. This will wipe any malicious files installed.
-
Contact your bank immediately and request a temporary block on your accounts, cards, and digital wallets.
-
Change all your passwords, especially if you entered them on the infected phone.
-
Activate monitoring on your accounts to catch any unauthorized transactions.
-
Check and revoke accessibility or admin permissions from any app you don’t recognize, and delete it right away.
Remember, RatOn combines multiple capabilities: it can steal your data, spy on your activity, and lock your device—all from an app that seemed harmless. And worst of all, it relies on deception and impulsive decisions to work.