Overlay intrusions, cryptocurrency wallet-targeted account takeovers, NFC relay attacks, and automated money transfers have been facilitated by the newly discovered RatOn Android trojan , reports The Hacker News

Bogus Google Play Store listing pages for an adult-friendly TikTok version have been leveraged by RatOn to deploy a dropper app, which seeks user permission to install apps from external sources to evade detection as a second-stage payload requests for accessibility services while downloading the third-stage NFSkate malware enabling NFC relay intrusions, according to a report from ThreatFabric.

Aside from showing overlay screens seeking payment of $200 in exchange for phone access, RatOn executes commands to compromise the MetaMask, Phantom, Blockchain.com, and Trust cryptowallet apps while enabling automatic money transfers via the Czech Republic-based bank app George Cesko.

"The account takeover and automated transfer features have shown that the threat actor knows the internals of the targeted applications quite well," said ThreatFabric researchers.