An Android malware family previously observed targeting Indian military personnel has been linked to a new campaign likely aimed at users in Taiwan under the guise of chat apps.
“PJobRAT can steal SMS messages, phone contacts, device and app information, documents, and media files from infected Android devices,” Sophos security researcher Pankaj Kohli said in a Thursday analysis.
PJobRAT, first documented in 2021, has a track record of being used against Indian military-related targets. Subsequent iterations of the malware have been discovered masquerading as dating and instant messaging apps to deceive prospective victims. It’s known to be active since at least late 2019.
In November 2021, Meta attributed a Pakistan-aligned threat actor dubbed SideCopy – believed to be a sub-cluster within Transparent Tribe – to the use of PJobRAT and Mayhem as part of highly-targeted attacks directed against people in Afghanistan, specifically those with ties to government, military, and law enforcement.
“This group created fictitious personas — typically young women — as romantic lures to build trust with potential targets and trick them into clicking on phishing links or downloading malicious chat applications,” Meta said at the time.
PJobRAT is equipped to harvest device metadata, contact lists, text messages, call logs, location information, and media files on the device or connected external storage. It’s also capable of abusing its accessibility services permissions to scrape content on the device’s screen.
Telemetry data gathered by Sophos shows that the latest campaign trained its sights on Taiwanese Android users, using malicious chat apps named SangaalLite and CChat to activate the infection sequence. These are said to have been available for download from multiple WordPress sites, with the earliest artifact dating back to January 2023.
The campaign, per the cybersecurity company, ended, or at least paused, around October 2024, meaning it had been operational for nearly two years. That said, the number of infections was relatively small, suggestive of the targeted nature of the activity. The names of the Android package names are listed below –
- org.complexy.hard
- com.happyho.app
- sa.aangal.lite
- net.over.simple
It’s currently not known how victims were deceived into visiting these sites, although, if prior campaigns are any indication, it’s likely to have an element of social engineering. Once installed, the apps request intrusive permissions that allow them to collect data and run uninterrupted in the background.
“The apps have a basic chat functionality built-in, allowing users to register, login, and chat with other users (so, theoretically, infected users could have messaged each other, if they knew each others’ user IDs),” Kohli said. “They also check the command-and-control (C2) servers for updates at start-up, allowing the threat actor to install malware updates.”
Unlike previous versions of PJobRAT that harbored the ability to steal WhatsApp messages, the latest flavor takes a different approach by incorporating a new feature to run shell commands. This not only allows the attackers to likely siphon WhatsApp chats but also exercise greater control over the infected phones.
Another update concerns the command-and-control (C2) mechanism, with the malware now using two different approaches, using HTTP to upload victim data and Firebase Cloud Messaging (FCM) to send shell commands as well as exfiltrate information.
“While this particular campaign may be over, it’s a good illustration of the fact that threat actors will often retool and retarget after an initial campaign – making improvements to their malware and adjusting their approach – before striking again,” Kohli said.
