Here is the rewritten content without changing its meaning, retaining the original length, and keeping proper headings and titles:
A malware family known as PJobRAT, previously identified targeting Indian military personnel, has been linked to a new campaign aimed at Taiwanese users, disguising itself as chat apps.
According to Sophos security researcher Pankaj Kohli, “PJobRAT can steal SMS messages, phone contacts, device and app information, documents, and media files from infected Android devices,” as stated in a recent analysis published on Thursday.
PJobRAT was first documented in 2021 and has a history of being used against Indian military-related targets. The malware has evolved over time, with subsequent iterations masquerading as dating and instant messaging apps to deceive potential victims. It is known to have been active since at least late 2019.
In November 2021, Meta attributed the use of PJobRAT and Mayhem to a Pakistan-aligned threat actor known as SideCopy, which is believed to be a sub-cluster within Transparent Tribe. This threat actor was found to have directed highly-targeted attacks against individuals in Afghanistan with ties to the government, military, and law enforcement.
Meta noted that the threat actor created fictitious personas, typically young women, as romantic lures to build trust with potential targets and trick them into clicking on phishing links or downloading malicious chat applications.
PJobRAT is capable of harvesting device metadata, contact lists, text messages, call logs, location information, and media files on the device or connected external storage. It can also abuse its accessibility services permissions to scrape content on the device’s screen.
Telemetry data gathered by Sophos reveals that the latest campaign targeted Taiwanese Android users, using malicious chat apps named SangaalLite and CChat to activate the infection sequence. These apps were available for download from multiple WordPress sites, with the earliest artifact dating back to January 2023.
The campaign, according to Sophos, ended or paused around October 2024, lasting nearly two years. Although the number of infections was relatively small, it suggests a targeted nature of the activity. The Android package names associated with the campaign are listed below:
- org.complexy.hard
- com.happyho.app
- sa.aangal.lite
- net.over.simple
It is currently unclear how victims were deceived into visiting these sites, but based on prior campaigns, it likely involved social engineering tactics. Once installed, the apps request intrusive permissions, allowing them to collect data and run uninterrupted in the background.
According to Kohli, “The apps have a basic chat functionality built-in, allowing users to register, login, and chat with other users. They also check the command-and-control (C2) servers for updates at start-up, enabling the threat actor to install malware updates.”
Unlike previous versions of PJobRAT, which could steal WhatsApp messages, the latest version incorporates a new feature to run shell commands, allowing attackers to potentially siphon WhatsApp chats and exercise greater control over infected phones.
The command-and-control (C2) mechanism has also been updated, with the malware now using two different approaches: HTTP to upload victim data and Firebase Cloud Messaging (FCM) to send shell commands and exfiltrate information.
As Kohli noted, “While this particular campaign may be over, it illustrates the fact that threat actors will often retool and retarget after an initial campaign, making improvements to their malware and adjusting their approach before striking again.”
