Hackers target Taiwan with malware delivered via fake messaging apps

Hackers have been targeting users in Taiwan with PJobRAT malware delivered through malicious instant messaging apps, according to new research.

The malicious apps — SangaalLite and CChat — were designed to mimic legitimate platforms, according to a report published Thursday by cybersecurity firm Sophos. The apps were available for download on multiple WordPress sites, which have since been taken offline. Researchers believe the campaign has now ended or is on pause, as no recent activity has been observed.

PJobRAT, an Android remote access trojan first identified in 2019, has previously been used to steal SMS messages, contacts, device information, documents and media files. In 2021, the malware was linked to attacks on Indian military personnel via fake dating and messaging apps.

The latest cyber-espionage campaign targeting users in Taiwan ran for nearly two years, but affected only a limited number of users. Researchers said the threat actors likely focused on targeting specific individuals.

Unlike earlier versions, the latest PJobRAT malware does not include built-in functionality to steal WhatsApp messages. However, it gives attackers greater control over infected devices, allowing them to steal data from various applications, use compromised devices to infiltrate networks and even remove the malware once they achieve their goal.

It is unclear how the threat actors behind PJobRAT distributed the malicious apps in the latest campaign. Previously, they used third-party app stores, phishing pages hosted on compromised sites, shortened links to obscure final destinations, and fake personas to deceive victims. 

Once installed, the apps request extensive permissions, including disabling battery optimization to ensure they run continuously in the background. They feature basic chat functionalities, allowing users to register and communicate with one another.

While the latest campaign appears to be over, “it’s a good illustration of the fact that threat actors will often retool and retarget after an initial campaign — making improvements to their malware and adjusting their approach — before striking again,” Sophos researchers said.