The previously observed family of Android malware targeting Indian military personnel is linked to a new campaign targeting Taiwanese users under the guise of chat apps.
“PJOBRAT can steal SMS messages, phone contacts, device and app information, documents and media files from infected Android devices,” Sophos security researcher Pankaj Kohli said in an analysis Thursday.
First documented in 2021, PJOBRAT has a track record of being used against military-related targets in India. Subsequent iterations of malware are pretended to be dating and instant messaging apps to deceive future victims. It is known to be active since at least the second half of 2019.
In November 2021, Meta was thought to be considered a subcluster within the transparent tribe called threat actors alongside Pakistan, resulting from the use of PJOBRAT and Mayhem as part of a highly targeted attack directed at Afghanistan, particularly those with governments and military groups, especially those in governments and law groups.
“The group created fictional personas (usually young women) as romantic lures to build trust with potential targets and click on phishing links and download malicious chat applications,” Meta said at the time.
PJOBRAT is equipped with device metadata, contact lists, text messages, call logs, location information, and media files on your device or connected external storage. You can also abuse the permissions of the Accessibility Service to scrape content onto your device’s screen.
Telemetry data collected by Sophos shows that the latest campaign trained vision for Android users in Taiwan to activate infection sequences using malicious chat apps called Sangaallite and CCHAT. These are said to be available for download from multiple WordPress sites, with the earliest artifacts dating back to January 2023.
According to the cybersecurity company, the campaign ended or at least paused around October 2024. However, the number of infectious diseases was relatively small, suggesting a target for activity. The names of Android package names are listed below –
org.complexy.hard com.happyho.app sa.aangal.lite net.over.simple
Currently, it is not known that victims were deceived by visiting these sites, but if the previous campaign is any indication, there could be a social engineering element. Once installed, the app collects data and requests intrusion permissions that allow it to run uninterruptedly in the background.
“The app has built-in basic chat functionality so users can register, log in and chat with other users (in theory, if infected users knew each other’s user IDs, they could have sent messages to each other). “They also check the Command and Control (C2) server for startup updates, allowing threat actors to install malware updates.”
Unlike previous versions of PJOBRAT, which have the ability to steal WhatsApp messages, the latest flavors take a different approach by incorporating new features to execute shell commands. This not only makes it more likely that an attacker will suck up WhatsApp chats, but also gives you more powerful control over infected phones.
Another update is about the command and control (C2) mechanism, where the malware uses two different approaches to upload victim data and Firebase Cloud Messaging (FCM) using HTTP to send shell commands to remove information.
“This particular campaign may be over, but it’s a good example of the fact that threat actors often return and retarget after the first campaign, improve malware, adjust their approach, and then strike again,” Kohli said.
Source link
