- Sophos researchers found a new variant of PJobRAT
- Android RAT now targets Taiwanese users
- The RAT can run shell commands and exfiltrate data
PJobRAT, an Android Remote Access Trojan (RAT) which disappeared roughly six years ago, has made a rather quiet comeback, targeting users with some arguably more dangerous functionalities.
Cybersecurity researchers from Sophos’ X-Ops security team discovered new samples in the wild, noting the 2019 PJobRAT could steal SMS messages, phone contacts, device and app information, documents, and media files, from infected Android devices.
The new variant can also run shell commands: “This vastly increases the capabilities of the malware, allowing the threat actor much greater control over the victims’ mobile devices,” Sophos explains. “It may allow them to steal data – including WhatsApp data – from any app on the device, root the device itself, use the victim’s device to target and penetrate other systems on the network, and even silently remove the malware once their objectives have been completed.”
Inactive campaign
The 2019 variant was mostly targeting Indian military personnel, by spoofing different dating and instant messaging apps.
The new variant seems to have ditched the dating angle, and focuses exclusively on being an instant messaging app.
In fact, Sophos says that the apps actually work, and that the victims, if they knew each other’s IDs, could even communicate to one another.
Speaking of the victims, the attackers no longer target Indians, and have instead switched to the Taiwanese.
Some of the apps found in the wild are called ‘SangaalLite’ (possibly a typosquatted version of ‘SignalLite’, an app used in the 2021 campaigns) and CChat (spoofing a legitimate app of the same name).
The apps were being distributed through WordPress sites, Sophos said, suggesting that they cannot be found on popular app stores. The sites have since been shut down, meaning that the campaign is probably completed, but the researchers reported them to WordPress anyway.
“This campaign was therefore running for at least 22 months, and perhaps for as long as two and a half years,” it was sad. However, it doesn’t seem to have been a large, or successful campaign, since the general public wasn’t the target.
You might also like
- Devious new Android malware uses a Microsoft tool to avoid being spotted
- We’ve rounded up the best password managers
- Take a look at our guide to the best authenticator app