A sophisticated Android remote access trojan (RAT) known as PJobRat has resurfaced, targeting Taiwanese people through deceptive messaging applications.

Background

Initially discovered in 2019, PJobRat targeted active-duty military personnel in India by impersonating dating and instant messaging apps. After being inactive for several years, it has resurfaced in Taiwan. The most recent campaign in Taiwan spanned from early 2023 to late 2024.

Key Details

  • Location Target: Taiwan
  • Infection Method: Disguised messaging apps on WordPress sites
  • Campaign Duration: Approximately 22 months
  • Primary Apps: ‘SangaalLite’ and ‘CChat’

How It Works

The malware operates by tricking users into downloading seemingly legitimate chat applications through wordpress sites. Currently, there isn’t enough information to determine how users were led to the WordPress distribution sites.
Once installed, these apps request extensive device permissions, allowing threat actors to:

  • Steal SMS messages
  • Extract phone contacts
  • Capture device and app information
  • Download documents and media files

Distribution

The threat actors behind earlier PJobRAT campaigns used third-party app stores, compromised legitimate websites to host phishing pages, employed shortened links to conceal final URLs, and created fake personas to trick users into clicking on links or downloading disguised apps. The threat actors may have also shared links to the malicious apps on military forums.

The WordPress site and App used to distribute PJobRAT(Source: Sophos)

New Capabilities

Unlike previous iterations, the latest PJobRAT variant introduces a critical enhancement: the ability to execute shell commands. This advancement provides attackers unprecedented control, potentially enabling:

  • Data theft across multiple applications
  • Device rooting
  • Network infiltration
  • Covert malware removal

Communication Techniques

The malware communicates through two primary channels:

  • Firebase Cloud Messaging (FCM): Allows hidden command transmission
  • HTTP Protocols: Enables data exfiltration

Attribution

PJobRAT has targeted Indian military personnel and Taiwan, which raises concerns given the current geopolitical climate. It is plausible that China or its affiliated groups could be behind the attacks, as they have a history of conducting similar cyber operations.

Mitigation

  • Avoiding app downloads from unverified sources
  • Using mobile threat detection applications
  • Being cautious of unsolicited download links.

Follow us on X and Linkedin for the latest cybersecurity news

Related Reading

Chinese Hackers: 4-Year Stay at Telecom Giant, No Check-Out!
U.S Charges Chinese Nationals For Espionage Campaign

Source:hxxps[://]news[.]sophos[.]com/en-us/2025/03/27/pjobrat-makes-a-comeback-takes-another-crack-at-chat-apps/