- Sophos researchers found a new variant of PJobRAT
- Android RAT now targets Taiwanese users
- The RAT can run shell commands and exfiltrate data
PJobRAT, an Android Remote Access Trojan (RAT) which disappeared roughly six years ago, has made a rather quiet comeback, targeting users with some arguably more dangerous functionalities.
Cybersecurity researchers from Sophos’ X-Ops security team discovered new samples in the wild, noting the 2019 PJobRAT could steal SMS messages, phone contacts, device and app information, documents, and media files, from infected Android devices.
The new variant can also run shell commands: “This vastly increases the capabilities of the malware, allowing the threat actor much greater control over the victims’ mobile devices,” Sophos explains. “It may allow them to steal data – including WhatsApp data – from any app on the device, root the device itself, use the victim’s device to target and penetrate other systems on the network, and even silently remove the malware once their objectives have been completed.”
Monitor your credit score with TransUnion starting at $29.95/month
TransUnion is a credit monitoring service that helps you stay on top of your financial health. With real-time alerts, credit score tracking, and identity theft protection, it ensures you never miss important changes. You'll benefit from a customizable online interface with clear insights into your credit profile. Businesses also benefit from TransUnion’s advanced risk assessment tools.
Preferred partner (What does this mean?)
Inactive campaign
The 2019 variant was mostly targeting Indian military personnel, by spoofing different dating and instant messaging apps.
The new variant seems to have ditched the dating angle, and focuses exclusively on being an instant messaging app.
In fact, Sophos says that the apps actually work, and that the victims, if they knew each other’s IDs, could even communicate to one another.
Speaking of the victims, the attackers no longer target Indians, and have instead switched to the Taiwanese.
Some of the apps found in the wild are called ‘SangaalLite’ (possibly a typosquatted version of ‘SignalLite’, an app used in the 2021 campaigns) and CChat (spoofing a legitimate app of the same name).
The apps were being distributed through WordPress sites, Sophos said, suggesting that they cannot be found on popular app stores. The sites have since been shut down, meaning that the campaign is probably completed, but the researchers reported them to WordPress anyway.
“This campaign was therefore running for at least 22 months, and perhaps for as long as two and a half years,” it was sad. However, it doesn’t seem to have been a large, or successful campaign, since the general public wasn’t the target.
Edit, April 8 - A Google spokesperson reached out to TechRadar Pro to confirm that there are no traces of this malware on the Google Play Store:
“Based on our current detection, no apps containing this malware are found on Google Play," they told us. "Android users are automatically protected against known versions of this malware by Google Play Protect, which is on by default on Android devices with Google Play Services. Google Play Protect can warn users or block apps known to exhibit malicious behavior, even when those apps come from sources outside of Play."
You might also like
- Devious new Android malware uses a Microsoft tool to avoid being spotted
- We've rounded up the best password managers
- Take a look at our guide to the best authenticator app
