Skip to content

Android malware family caught snooping on Taiwanese users as fake chat app

  • by
  • 2 min read

Illustration: Suttipun | Shutterstock

The Android malware family dubbed PJobRAT has been linked to a campaign aimed at Taiwanese users who use fake chat apps as the infection vector. PJobRAT was first documented in 2021 and is known to have been active since at least 2019.

Telemetry data gathered by the security firm Sophos shows that PJobRAT’s latest campaign uses chat apps named SangaalLite and CChat. These apps have been available for download from multiple WordPress sites, with the earliest samples going back to January 2023. Sophos claims that the campaign stopped, or at least paused, in October 2024 after being operational for nearly two years.

The malware can steal SMS messages, phone contacts, device and app information, documents, media files, call logs, location data, and more from targeted Android devices. It can also abuse Android accessibility service permissions to gain access to the content on the device’s screen, scraping banking passwords and any other sensitive information.

This is an image of pjobrat malware app
Screenshots from the interface of SangaalLite. | Source: Sophos

There’s little information on how the victims were tricked into downloading the malicious apps. However, previous malware campaigns used social engineering as the primary delivery mechanism. Once installed on the victim’s phone, the apps request permissions for almost every aspect, letting them collect data and run in the background.

The apps have basic chat functionality, letting users register, log in, and chat. They also check for startup command-and-control (C2) server updates, allowing the threat actor to install any malware updates if available. The C2 mechanism has also been updated for this campaign. The malware now uses HTTP to upload victim data and Firebase Cloud Messaging to send shell commands and extract data. Shell commands are one of the biggest new features of the new campaign. This lets attackers take greater control over the infected devices while still maintaining the old feature set.

PJobRAT has previously targeted Indian military personnel. Several iterations of the malware have also been discovered impersonating dating and messaging apps to trick victims into installing it.

In the News: Mozilla patches critical Firefox vulnerability similar to Chrome zero-day

Yadullah Abidi

Yadullah Abidi

Yadullah is a Computer Science graduate who writes/edits/shoots/codes all things cybersecurity, gaming, and tech hardware. When he's not, he streams himself racing virtual cars. He's been writing and reporting on tech and cybersecurity with websites like Candid.Technology and MakeUseOf since 2018. You can contact him here: yadullahabidi@pm.me.

Related Reads

This is an image of dark web hacker security

Security flaw in Dahua CCTVs allows remote access

This is an image of python windows featured

Hackers are targeting Python developers with fake PyPI sites

This is an image of apple featured 2323424823

Apple patches Safari bug; Already exploited in Chrome

This is an image of dark web hacker security

Vibe coding platform breach exposes corporate apps

This is an image of dark web hacker security

Fake apps are stealing data blackmailing users on Asian mobile networks

This is an image of ransomware 32988sd

FBI collects dues from Chaos ransomware gang; $2.4 million in crypto seized

>