Background
Remote Access Trojan (RAT) attacks are rapidly emerging as one of the most sophisticated and fast-growing enablers of digital fraud affecting consumers and organisations nationwide. Unlike credential theft scams that rely primarily on stolen usernames and passwords, RAT based attacks can provide criminals with remote control of a victim’s device, enabling them to operate in real time as if they were the legitimate user.
RATs are a type of malicious software engineered to covertly infiltrate a system, establish persistent access, and allow attackers to remotely manipulate compromised devices. They commonly masquerade as legitimate software updates, email attachments, mobile applications, or links distributed via phishing messages and compromised websites. Their ability to blend into normal digital activity makes them difficult for victims to detect and disrupt. Once installed, a RAT can enable extensive attacker control, including screen viewing, credential capture, and data theft. Importantly, RATs primarily enable fraud and account compromise such as unauthorised financial transactions or data access.
In South Africa, mobile banking users are increasingly exposed to RAT enabled fraud risks due to the country’s heavy reliance on smartphones and mobile based financial services. Attackers reportedly use sophisticated social engineering tactics, impersonating trusted entities such as banks, mobile network operators, courier companies, online retailers or government departments, and reaching victims through phone calls, SMS or WhatsApp messages with urgent claims about suspected account compromise, failed deliveries or SIM related issues. Victims are then persuaded to install what appears to be a legitimate “security” or “verification” application which, once installed, grants attackers remote visibility and control of the device, enabling them to capture PINs, passwords and one time passwords, and execute fraudulent transactions from the victim’s own device, making the activity appear authorised and reducing friction during the attack.
Key Threats to be Monitored
The scale and impact of RAT enabled fraud risks are reinforced by global mobile malware trends that closely mirror the attack methods observed in South Africa. While local reporting does not always categorise incidents explicitly as RAT attacks, international cybersecurity data demonstrates a sharp escalation in mobile banking malware that enables credential theft and remote device control, functions that operate similarly to RAT activity. According to Kaspersky, mobile banking malware cases increased approximately 3.6 times in 2024 compared with 2023, largely driven by social engineering tactics that persuade users to install malicious applications masquerading as legitimate services, which then provide attackers with visibility into and control over active banking sessions.
Further illustrating the scale of the threat, global mobile banking malware infections surged from 69 000 affected users in 2023 to nearly 248 000 in 2024, with criminals primarily distributing malicious links via SMS and messaging platforms according to Kaspersky. This growth highlights how social engineering led malware campaigns can rapidly scale, enabling attackers to exploit trusted devices and legitimate sessions, conditions that closely align with the mechanics of RAT enabled banking fraud observed in mobile first banking environments such as South Africa. At a broader cyber threat level, RAT based device compromise can also serve as an initial access vector for ransomware operators, as both rely on social engineering and unauthorised remote access; once attackers gain persistent control of a victim’s device, the same access paths used for financial fraud can be leveraged to deploy ransomware, escalate privileges, exfiltrate data, and trigger high impact outages, mirroring the rising ransomware patterns seen globally and across South Africa.
Industry Advice
Digital banking users are advised to remain alert to social-engineering tactics commonly used in RAT attacks, particularly urgent messages or calls claiming account, SIM, or delivery issues. Best practice includes never installing apps at the request of a call or message, restricting app permissions, keeping devices and applications updated, and using strong device security such as biometrics and official app stores only. Users should act immediately if compromise is suspected by disconnecting the device from the internet and contacting their bank, as early response can significantly limit fraud losses.