Ddos In 2021, PJobRAT, an Android Remote Access Trojan (RAT), was identified targeting Indian military personnel by disguising itself as various dating and instant messaging apps. After a period of relative silence, Sophos X-Ops researchers have recently uncovered a new campaign that appears to target users in Taiwan.
PJobRAT is a potent threat capable of stealing a wide array of sensitive information from infected Android devices. This includes SMS messages, phone contacts, device and app information, documents, and media files.
In this recent campaign, Sophos X-Ops researchers observed PJobRAT samples masquerading as instant messaging apps. The malicious apps discovered include “SangaalLite” and CChat, mimicking a legitimate app with the same name that previously existed on Google Play. These apps were distributed through various now-defunct WordPress sites.
The earliest sample of this new campaign was observed in January 2023, while the most recent was from October 2024. Researchers believe that the campaign is currently over or at least paused, as no activity has been observed since October 2024.
The PJobRAT campaign ran for at least 22 months and possibly up to two and a half years. Despite this extended period, the number of infections remained relatively small, leading researchers to assess that the threat actors behind the campaign were not targeting the general public.
The latest PJobRAT iterations have demonstrated a shift in tactics compared to the 2021 campaign. Notably, the new versions lack the built-in functionality to steal WhatsApp messages. However, they incorporate a new and significant functionality: the ability to run shell commands. According to the report, “This vastly increases the capabilities of the malware, allowing the threat actor much greater control over the victims’ mobile devices”. This enhanced control enables threat actors to steal data from any app on the device, potentially including WhatsApp data, root the device, use the compromised device to target other systems on the network, and even silently remove the malware.
The latest PJobRAT variants employ two methods to communicate with their command-and-control (C2) servers.
- The first method is Firebase Cloud Messaging (FCM), a cross-platform library by Google.
- The second method of communication is HTTP, used to upload various data to the C2 server.
The resurgence of PJobRAT with enhanced capabilities demonstrates the persistent and evolving nature of mobile malware threats.
Related Posts:
💙 Support SecurityOnline.info
If this article helped you stay informed, please consider supporting us below.
PayPal