PJobRAT, an Android Remote Access Trojan (RAT) first identified in 2019, has resurfaced in a new campaign targeting users in Taiwan.
Initially, PJobRAT was known for targeting Indian military personnel by disguising itself as dating and instant messaging apps.
The latest iteration of this malware has evolved, now masquerading as apps like ‘SangaalLite’ and ‘CChat’, which were distributed through defunct WordPress sites.
.png
)
These sites were active from at least January 2023 to October 2024, although the domains were registered as early as April 2022.
Distribution and Infection Tactics
The malware was spread via fake apps that mimicked legitimate messaging services.
Once installed, these apps request extensive permissions, including the ability to bypass battery optimization, allowing them to run continuously in the background.
Users were likely directed to these malicious sites through various tactics such as SEO poisoning, malvertising, or phishing, although the exact methods used in this campaign are not confirmed.
The threat actors behind PJobRAT have historically used diverse distribution methods, including third-party app stores and compromised legitimate sites.
Enhanced Capabilities
The latest versions of PJobRAT have seen significant updates, particularly in their ability to execute shell commands.
According to the Report, this enhancement allows the malware to potentially steal data from any app on the device, root the device, or even silently remove itself after completing its objectives.
Unlike previous versions, the new PJobRAT does not specifically target WhatsApp messages but can access data from any app.
It communicates with command-and-control (C2) servers using Firebase Cloud Messaging (FCM) and HTTP, enabling it to upload stolen data such as SMS messages, contacts, and files.
The campaign appears to have concluded, with no recent activity observed. However, this resurgence highlights the adaptability of threat actors, who continually refine their tactics and malware to evade detection.
Android users are advised to avoid installing apps from untrusted sources and to use mobile threat detection software to protect against such threats.
Are you from SOC/DFIR Teams? – Analyse Malware, Phishing Incidents & get live Access with ANY.RUN -> Start Now for Free.
 first identified in 2019, has resurfaced in a new campaign targeting users in Taiwan.){kind=link}