Reported by researchers in the year 2021, PJobRAT – an Android RAT initially identified in 2019 – has been focusing on Indian military personnel by masquerading as different dating and instant messaging apps. Since then, little information was available regarding PJobRAT – until a recent investigation revealed a new campaign by Sophos X-Ops researchers, which now appears to have concluded, targeting users in Taiwan.
From infected Android devices, PJobRAT has the capability to pilfer SMS messages, phone contacts, device and app details, documents, and media files.
Spreading and contamination
In the most recent campaign, PJobRAT samples were uncovered by X-Ops researchers disguised as instant messaging applications. From our monitoring, all victims seemed to be located in Taiwan.
Among these were ‘SangaalLite’ (potentially a derivative of ‘SignalLite’, a known app from the 2021 campaigns) and CChat (imitating a valid app of the same name formerly found on Google Play).
These apps were accessible for download from a variety of WordPress platforms (now inactive, although we have reported them to WordPress despite this). The first sample was detected in Jan 2023 (even though the domains housing the malware were registered as early as April 2022), with the latest being from October 2024. It is believed that the campaign has now ended or paused, as no further activity has been noticed since.
Consequently, this campaign lasted at least 22 months, and possibly up to two and a half years. Nevertheless, the number of infections remained relatively low, and based on our evaluation, the threat actors responsible were not aiming at the general public.
Figure 1: A malicious distribution site showcasing a standard WordPress format, with a link to download one of the samples
Figure 2: Another illegitimate distribution site hosting a counterfeit chat app named SaangalLite
The exact method by which users were directed to the WordPress distribution sites remains unclear to us (such as SEO poisoning, malvertising, phishing, etc). Nonetheless, it is known that the individuals behind previous PJobRAT campaigns utilized various tactics for distribution purposes. These techniques included third-party app stores, hijacking legitimate sites to host phishing content, shortened URLs to disguise final destinations, and fabricated identities to trick users into interacting with links or downloading the camouflaged applications. Moreover, the threat actors potentially shared links to the malicious apps on military forums.
Upon reaching a user’s device and being opened, the applications ask for numerous permissions, including requesting to disable battery optimization in order to persistently operate in the background.
Figure 3: Snapshots from the interface of the deceitful SaangalLite app
These apps feature a fundamental chat functionality, enabling users to sign up, log in, and communicate with other users (hence, potentially allowing infected users to exchange messages with each other if aware of each others’ user IDs). They further check the command-and-control (C2) servers for updates upon startup, granting the threat actor the ability to install malware updates
Strategic Revision
In contrast to the 2021 campaign, the latest versions of PJobRAT do not integrate a tool for pilfering WhatsApp messages. Nonetheless, they now incorporate a new function to execute shell commands. This significantly enhances the malware’s capabilities, affording the threat actor far greater control over the mobile devices of victims. This could enable them to extract data – including WhatsApp data – from any application on the device, gain root access to the device itself, leverage the victim’s device to attack and penetrate other systems in the network, and even discreetly eliminate the malware once their objectives are fulfilled.
Figure 4: Command code execution script
Interconnection
The latest variants of PJobRat possess two communication means with their C2 servers. The first is Firebase Cloud Messaging (FCM), a universal library provided by Google allowing apps to communicate small data payloads (up to 4,000 bytes) with the cloud.
As highlighted in our coverage of an Iranian mobile malware campaign in July 2023, FCM typically employs port 5228, but could also utilize ports 443, 5229, and 5230. FCM affords threat actors two benefits: it facilitates concealing their C2 operations within anticipatedAndroid flow, and exploits the credibility and resilience of cloud-based services.
The malicious actor employed FCM for issuing commands from a C2 server to the applications and initiating various RAT functions, which include the following:
| Directive | Explanation |
| _ace_am_ace_ | Transmit SMS |
| _pang_ | Transmit device details |
| _file_file_ | Transmit file |
| _dir_dir_ | Transmit a file from a specific directory |
| __start__scan__ | Transmit list of media files and documents |
| _kansell_ | Cancel all pending operations |
| _chall_ | Execute a command on the shell |
| _kontak_ | Transmit contacts |
| _ambrc_ | Record and transmit audio |
Figure 5: Chart demonstrating PJobRAT directives
The second mode of communication is HTTP. PJobRAT uses HTTP to transmit data, such as device information, SMS, contacts, and files (images, audio/video, and documents like .doc and .pdf files), to the C2 server.
The (now inactive) C2 server (westvist[.]myftp[.]org) utilized a dynamic DNS provider to relay the data to an IP address situated in Germany.
Figure 6: Extracting device details from an infected device (from our internal testing)
Figure 7: Extracting contacts from an infected device (from our internal testing)
Figure 8: Extracting a list of files from an infected device (from our internal testing)
Outcome
While this specific operation may have concluded, it serves as a strong portrayal of the fact that malicious actors frequently recalibrate and refocus following an initial endeavor – enhancing their malware and adapting their strategies – prior to striking once more.
We will be vigilant for any forthcoming activities linked to PJobRAT. In the interim, Android users are advised to refrain from installing applications from links provided in emails, text messages, or any form of communication received from untrusted sources, and to employ a mobile threat detection application like Sophos Intercept X for Mobile for protection against such risks.
A compilation of the applications, hosting domains, and C2 domains unearthed during this investigation is accessible on our GitHub repository. The examples delineated here are recognized by Intercept X for Mobile as Andr/AndroRAT-M.
About Author
