PJobRAT, an Android Remote Access Trojan (RAT) that first emerged in 2019, has made a notable return, this time focusing its efforts on users in Taiwan. Originally, this malware gained notoriety for targeting Indian military personnel by disguising itself as dating and instant messaging applications. The latest version has evolved, adopting the guise of seemingly innocuous apps such as ‘SangaalLite’ and ‘CChat’, which were distributed through defunct WordPress sites.
These compromised sites were operational from at least January 2023 until October 2024, with domain registrations dating back to April 2022.
Distribution and Infection Tactics
The distribution of this malware occurred through counterfeit applications that closely resembled legitimate messaging services. Once users installed these deceptive apps, they were prompted to grant extensive permissions, including the ability to bypass battery optimization, which allowed the malware to operate continuously in the background. Users were likely led to these malicious sites through various strategies such as SEO poisoning, malvertising, or phishing, although the specific methods employed in this campaign remain unverified. Historically, the perpetrators behind PJobRAT have utilized a range of distribution techniques, including third-party app stores and compromised legitimate websites.
Enhanced Capabilities
The latest iterations of PJobRAT have undergone significant enhancements, particularly regarding their capacity to execute shell commands. This upgrade empowers the malware to potentially extract data from any application on the device, root the device, or even discreetly uninstall itself after fulfilling its objectives. Unlike earlier versions, the new PJobRAT does not specifically target WhatsApp messages but possesses the capability to access data from any app installed on the device. Communication with command-and-control (C2) servers is facilitated through Firebase Cloud Messaging (FCM) and HTTP, allowing the malware to upload stolen information, including SMS messages, contacts, and files.
While the campaign appears to have reached its conclusion, with no recent activity detected, this resurgence serves as a reminder of the adaptability of threat actors, who continuously refine their tactics and malware to evade detection. Android users are strongly advised to refrain from installing applications from untrusted sources and to utilize mobile threat detection software to safeguard against such threats.
Are you from SOC/DFIR Teams? – Analyse Malware, Phishing Incidents & get live Access with ANY.RUN -> Start Now for Free.
