Sophos X-Ops researchers recently discovered a new campaign involving the PJobRAT Android Remote Access Trojan (RAT) targeting users in Taiwan. This comes after the initial reports in 2021 that PJobRAT was targeting Indian military personnel by posing as various dating and messaging apps.
The latest campaign utilized samples of PJobRAT disguised as messaging apps such as ‘SangaalLite’ and ‘CChat’. These malicious apps were available for download on WordPress sites, with the campaign running for at least 22 months, possibly up to two and a half years. However, the number of infections was limited, indicating that the threat actors were not targeting the general public.
The distribution sites hosting the malware employed various tactics to lure users, although the exact method of directing users to these sites remains unclear. Previous PJobRAT campaigns have utilized third-party app stores, compromised legitimate sites, shortened links, and fictitious personas to distribute the malware. It is also speculated that links to the malicious apps may have been shared on military forums.
Once installed on a device, the apps requested a range of permissions, including the ability to disable battery optimization in order to run continuously in the background. The apps featured basic chat functionality and communicated with command-and-control servers for updates.
Notably, the latest iteration of PJobRAT did not include the functionality to steal WhatsApp messages but introduced a new capability to run shell commands. This expanded the malware’s capabilities significantly, allowing threat actors greater control over infected devices. This control could potentially enable data theft from various apps, device rooting, network penetration, and the removal of the malware once objectives are achieved.
The communication methods utilized by PJobRAT included Firebase Cloud Messaging (FCM) and HTTP. FCM allowed threat actors to send commands to the infected apps while leveraging cloud-based services. The HTTP communication was used to upload data, including device information, SMS, contacts, and files, to a C2 server.
Although this specific campaign may have ended, it serves as a reminder that threat actors adapt and refine their tactics before launching new campaigns. Android users are advised to avoid installing apps from untrusted sources and use mobile threat detection apps like Sophos Intercept X for Mobile to protect against such threats.
Further details, including a list of apps, hosting domains, and C2 domains related to this investigation, can be found on Sophos Labs’ GitHub repository. Samples of the malware described in this campaign are detected by Intercept X for Mobile as Andr/AndroRAT-M. Stay vigilant and protect your devices from potential threats.