In 2021, the cybersecurity landscape was shaken by the emergence of PJobRAT, an Android Remote Access Trojan (RAT) that initially targeted Indian military personnel through deceptive dating and messaging applications. After a period of relative silence, Sophos X-Ops researchers recently unearthed a new campaign associated with PJobRAT, which appeared to have its sights set on users in Taiwan.
Distribution and infection
The latest findings indicate that PJobRAT samples were cleverly disguised as instant messaging applications. All identified victims were located in Taiwan, with the malicious apps including ‘SangaalLite’—a likely nod to ‘SignalLite,’ which was used in earlier campaigns—and CChat, a mimic of a legitimate app that once graced Google Play. These apps were available for download from various WordPress sites, which have since been taken down, although reports have been filed with WordPress to address the issue.
The earliest sample of this campaign was detected in January 2023, while the domains associated with the malware were registered as early as April 2022. The most recent sample appeared in October 2024, leading researchers to believe that the campaign has either concluded or is currently on hold, as no activity has been observed since. This operation spanned at least 22 months, potentially extending to two and a half years, yet the number of infections remained relatively low, suggesting that the threat actors were not targeting the general public.
Figure 1: One of the malicious distribution sites – this one showing a boilerplate WordPress template, with a link to download one of the samples
Figure 2: Another malicious distribution site – this one hosting a fake chat app called SaangalLite
While the precise methods used to direct users to these WordPress distribution sites remain unclear—potentially involving SEO poisoning, malvertising, or phishing—previous PJobRAT campaigns have employed a variety of distribution tactics. These have included leveraging third-party app stores, compromising legitimate websites to host phishing pages, using shortened links to obscure final URLs, and creating fictitious personas to entice users into downloading the disguised applications. Furthermore, it is plausible that links to these malicious apps were shared on military forums.
Once installed and launched, the apps request extensive permissions, including the ability to prevent battery optimization, allowing them to operate continuously in the background.
Figure 3: Screenshots from the interface of the malicious SaangalLite app
The apps feature basic chat functionality, enabling users to register, log in, and communicate with one another. This means that infected users could potentially message each other if they were aware of each other’s user IDs. Additionally, the apps check in with command-and-control (C2) servers for updates upon startup, facilitating the installation of malware updates.
A shift in tactics
Notably, the recent iterations of PJobRAT have shifted away from the functionality of stealing WhatsApp messages, which was a hallmark of the 2021 campaign. Instead, they now incorporate the ability to execute shell commands, significantly enhancing the malware’s capabilities. This advancement allows threat actors greater control over the compromised devices, enabling them to extract data—including WhatsApp data—from any application on the device, root the device itself, utilize the victim’s device to infiltrate other systems on the network, and even silently remove the malware once their objectives are achieved.
Figure 4: Code to execute shell commands
Communication
The latest variants of PJobRAT utilize two primary methods for communication with their C2 servers. The first is Firebase Cloud Messaging (FCM), a cross-platform library developed by Google that allows apps to send and receive small payloads from the cloud. FCM typically operates on port 5228, though it may also use ports 443, 5229, and 5230. This method provides threat actors with the advantage of concealing their C2 activities within expected Android traffic while leveraging the reliability of cloud-based services.
Through FCM, commands can be sent from a C2 server to the apps, triggering various RAT functions. The following table outlines some of the commands utilized:
| Command | Description |
| aceamace | Upload SMS |
| pang | Upload device information |
| filefile_ | Upload file |
| dirdir_ | Upload a file from a specific folder |
| startscan | Upload list of media files and documents |
| kansell | Cancel all queued operations |
| chall | Run a shell command |
| kontak | Upload contacts |
| ambrc | Record and upload audio |
Figure 5: Table showing PJobRAT commands
The second communication method employed by PJobRAT is HTTP, which is utilized to upload various data types—including device information, SMS, contacts, and files (such as images, audio/video, and documents like .doc and .pdf files)—to the C2 server. The now inactive C2 server, westvist[.]myftp[.]org, relied on a dynamic DNS provider to transmit data to an IP address located in Germany.
Figure 6: Stealing device information from an infected device (from our own testing)
Figure 7: Stealing contacts from an infected device (from our own testing)
Figure 8: Stealing a list of files from an infected device (from our own testing)
