Sophos X-Ops researchers have uncovered a new campaign involving PJobRAT, an Android Remote Access Trojan (RAT) first observed in 2019.
This latest iteration, which appeared to target users in Taiwan, disguised itself as instant messaging apps such as ‘SangaalLite’ and ‘CChat’.
The campaign, which ran from January 2023 to October 2024, marks a significant shift from its 2021 predecessor that targeted Indian military personnel.
Enhanced Capabilities and Distribution Methods
PJobRAT has evolved since its last known campaign, showcasing enhanced capabilities and distribution methods.
The malware can now steal SMS messages, phone contacts, device and app information, documents, and media files from infected Android devices.
Unlike its 2021 version, the latest iteration lacks built-in functionality for stealing WhatsApp messages but includes a new feature to run shell commands, significantly expanding its control over victims’ devices.
The threat actors distributed the malware through various WordPress sites, employing tactics such as third-party app stores, compromised legitimate sites hosting phishing pages, shortened links masking final URLs, and fictitious personae to deceive users.
Once installed, the apps request numerous permissions, including the ability to run continuously in the background by disabling battery optimization.
Sophisticated Communication Channels
PJobRAT utilizes two primary methods for communicating with its command-and-control (C2) servers.
The first is Firebase Cloud Messaging (FCM), a cross-platform library by Google that allows the malware to send and receive small payloads while hiding its C2 activity within expected Android traffic.
The second method involves HTTP communication to upload stolen data, including device information, SMS, contacts, and various file types to the C2 server1.
The C2 server, now inactive, used a dynamic DNS provider to route data to an IP address in Germany.
According to the Report, this sophisticated approach allowed the threat actors to leverage cloud-based services’ reputation and resilience while maintaining control over infected devices.
While this particular campaign appears to have concluded, it serves as a stark reminder of the evolving nature of mobile malware threats.
Android users are advised to exercise caution when installing apps, especially those from untrusted sources, and to employ mobile threat detection solutions like Sophos Intercept X for Mobile to defend against such attacks.
The resurgence of PJobRAT highlights the persistent threat landscape in mobile security, emphasizing the need for continued vigilance and advanced protection measures in an increasingly connected world.
Find this Story Interesting! Follow us on LinkedIn, and X to Get More Instant Updates
 first observed in 2019.){kind=link}