- I picked the 21+ best Amazon Spring Sale headphone deals
- The 23+ best Amazon Spring Sale deals under $50
- I never leave home without this charging accessory from Baseus (buy one while it's still on sale)
- Google's Pixel Tablet has been my smart home display for almost a year (and it's 30% off)
- 5 secrets to achieving your goals, according to business leaders
PJobRAT Malware Targets Users in Taiwan via Fake Apps
A new cyber-espionage campaign leveraging PJobRAT, an Android remote access trojan (RAT), has been uncovered by cybersecurity researchers.
The malware, which has previously targeted Indian military personnel, was recently found in a campaign aimed at users in Taiwan.
Disguised as an instant messaging app, PJobRAT was designed to steal sensitive information from infected devices.
Malware Distribution and Impact
Researchers at Sophos X-Ops identified the malware in fake applications called “SangaalLite” and “CChat,” which mimicked legitimate chat platforms. These apps were distributed via compromised WordPress sites rather than official app stores.
The earliest sample linked to this campaign dates back to January 2023, though the hosting domains were registered as early as April 2022. The most recent activity was observed in October 2024. While the campaign appears to have ended, it ran for at least 22 months.
Unlike previous versions of PJobRAT, which included WhatsApp message-stealing functionality, the latest iteration has shifted tactics. It now includes the ability to execute shell commands, which grants threat actors greater control over victims’ devices.
This enhancement enables attackers to steal data from any app, root the device, launch attacks on other systems and even uninstall the malware remotely once objectives are met.
Read more on mobile malware threats: Mobile Phishing Attacks Surge with 16% of Incidents in US
Command-and-Control
The malware communicates with its command-and-control (C2) servers through two primary methods: Firebase Cloud Messaging (FCM) and HTTP.
By using FCM, a Google cloud-based service, the malware can blend its network traffic with legitimate Android communications, making detection more difficult.
The second method, HTTP, is used to exfiltrate stolen data, including SMS messages, contacts and media files.
Researchers traced the now-inactive C2 server to an IP address in Germany.
The malware accepts several commands from the C2 server, allowing threat actors to:
- Upload SMS messages, device information and files
- Retrieve lists of media files and documents
- Run shell commands
- Record and upload audio
Prevention and Mitigation
“While this particular campaign may be over, it’s a good illustration of the fact that threat actors will often retool and retarget after an initial campaign – making improvements to their malware and adjusting their approach – before striking again,” Sophos warned.
To mitigate such threats, Android users should avoid installing apps from untrusted sources and use mobile security solutions to identify malicious threats on their devices.
