- Sophos researchers found a new variant of Pjobrat
- Android Rat now targets Taiwanese users
- The rat can execute Shell commands and exfiltrate data
Pjobrat, an Android distance Trojan (rat) who disappeared about six years ago, made a fairly silent return, targeting users with no doubt more dangerous features.
Cybersecurity researchers from the Sophos X-OPS security team have discovered new samples in the wild, noting that the 2019 PJOBRAT could steal SMS, phone contacts, device and application, documents and multimedia files from infected Android devices.
The new variant can also execute Shell orders: “This considerably increases the capacities of the malware, allowing the threat actor a much more important control over the mobile devices of the victims,” explains Sophos. “This can allow them to steal data – including WhatsApp data – from any application on the device, root the device itself, use the victim’s device to target and penetrate other systems on the network, and even silently delete malware once their objectives are reached.”
Inactive campaign
The 2019 variant mainly aimed at Indian military staff, by usurping different dating and instant messaging applications.
The new variant seems to have abandoned the dating angle and focuses exclusively on being an instant messaging application.
In fact, Sophos says that applications really work and that the victims, if they knew the identifiers of the other, could even communicate.
Speaking of the victims, the attackers no longer target the Indians and rather went to the Taiwanese.
Some of the applications found in the wild are called “Sangallitis” (perhaps a typosquatated version of “Signallite”, an application used in the 2021 campaigns) and Chat (usurpation of a legitimate application of the same name).
Applications were distributed via WordPress sites, said Sophos, suggesting that they cannot be found in popular application stores. The sites have since been closed, which means that the campaign is probably over, but the researchers have nevertheless pointed them out to WordPress.
“So this campaign took place for at least 22 months, and perhaps as long as two and a half years”, it was sad. However, this does not seem to have been an important or successful campaign, because the general public was not the target.
