PJobRAT makes a comeback, takes another crack at chat apps – Sophos News

In 2021, researchers reported that PJobRAT – an Android RAT first observed in 2019 – was targeting Indian military personnel by imitating various dating and instant messaging apps. Since then, there’s been little news about PJobRAT – until, during a recent threat hunt, Sophos X-Ops researchers uncovered a new campaign – now seemingly over – that appeared to target users in Taiwan.

PJobRAT can steal SMS messages, phone contacts, device and app information, documents, and media files from infected Android devices.

Distribution and infection

In the latest campaign, X-Ops researchers found PJobRAT samples disguising themselves as instant messaging apps. In our telemetry, all the victims appeared to be based in Taiwan.

The apps included ‘SangaalLite’ (possibly a play on ‘SignalLite’, an app used in the 2021 campaigns) and CChat (mimicking a legitimate app of the same name that previously existed on Google Play).

The apps were available for download from various WordPress sites (now defunct, albeit we have reported them to WordPress regardless). The earliest sample was first seen in Jan 2023 (although the domains hosting the malware were registered as early as April 2022) and the most recent was from October 2024. We believe the campaign is now over, or at least paused, as we have not observed any activity since then.

This campaign was therefore running for at least 22 months, and perhaps for as long as two and a half years. However, the number of infections was relatively small, and in our assessment the threat actors behind it were not targeting the general public.

Figure 1: One of the malicious distribution sites – this one showing a boilerplate WordPress template, with a link to download one of the samples

Figure 2: Another malicious distribution site – this one hosting a fake chat app called SaangalLite

We don’t have enough information to confirm how users were directed to the WordPress distribution sites (e.g., SEO poisoning, malvertising, phishing, etc), but we know that the threat actors behind previous PJobRAT campaigns used a variety of tricks for distribution. These included third-party app stores, compromising legitimate sites to host phishing pages, shortened links to mask final URLs, and fictitious personae to deceive users into clicking on links or downloading the disguised apps. Additionally, the threat actors may have also distributed links to the malicious apps on military forums.

Once on a user’s device and launched, the apps request a plethora of permissions, including a request to stop optimizing battery usage, in order to continuously run in the background.

Figure 3: Screenshots from the interface of the malicious SaangalLite app

The apps have a basic chat functionality built in, allowing users to register, login, and chat with other users (so, theoretically, infected users could have messaged each other, if they knew each others’ user IDs). They also check the command-and-control (C2) servers for updates at start-up, allowing the threat actor to install malware updates

A shift in tactics

Unlike the 2021 campaign, the latest iterations of PJobRAT do not have a built-in functionality for stealing WhatsApp messages. However, they do include a new functionality to run shell commands. This vastly increases the capabilities of the malware, allowing the threat actor much greater control over the victims’ mobile devices. It may allow them to steal data – including WhatsApp data – from any app on the device, root the device itself, use the victim’s device to target and penetrate other systems on the network, and even silently remove the malware once their objectives have been completed.

Figure 4: Code to execute shell commands

Communication

The latest variants of PJobRat have two ways to communicate with their C2 servers. The first is Firebase Cloud Messaging (FCM), a cross-platform library by Google which allows apps to send and receive small payloads (up to 4,000 bytes) from the cloud.

As we noted in our coverage of an Iranian mobile malware campaign in July 2023, FCM usually uses port 5228, but may also use ports 443, 5229, and 5230. FCM provides threat actors with two advantages: it enables them to hide their C2 activity within expected Android traffic, and it leverages the reputation and resilience of cloud-based services.

The threat actor used FCM to send commands from a C2 server to the apps and trigger various RAT functions, including the following:

Figure 5: Table showing PJobRAT commands

The second method of communication is HTTP. PJobRAT uses HTTP to upload data, including device information, SMS, contacts, and files (images, audio/video and documents such as .doc and .pdf files), to the C2 server.

The (now inactive) C2 server (westvist[.]myftp[.]org) used a dynamic DNS provider to send the data to an IP address based in Germany.

Figure 6: Stealing device information from an infected device (from our own testing)

Figure 7: Stealing contacts from an infected device (from our own testing)

Figure 8: Stealing a list of files from an infected device (from our own testing)

Conclusion

While this particular campaign may be over, it’s a good illustration of the fact that threat actors will often retool and retarget after an initial campaign – making improvements to their malware and adjusting their approach – before striking again.

We’ll be keeping an eye out for future activity relating to PJobRAT. In the meantime, Android users should avoid installing apps from links found in emails, text messages or any communication received from untrusted sources, and use a mobile threat detection app such as Sophos Intercept X for Mobile to defend from such threats.

A list of the apps, hosting domains, and C2 domains we discovered during this investigation is available on our GitHub repository. The samples described here are detected by Intercept X for Mobile as Andr/AndroRAT-M.