Earlier, the Android Malter Malware Service Service Service was associated with a new company that is probably aimed at Taiwan’s users under the guise of chat applications.
“PJOBrat can steal SMS messages, telephone contacts, devices and apps, documents and media files from infected Android devices,” Sophos Security Pankaj Kohli Researcher Kohli – Note In the Thursday analysis.
Pjobrat, First documented In 2021, there were results of use against Indian military purposes. The following malware iterations were discovered as appraisal applications and instant messages to deceive future victims. It is known that it has been active at least since the end of 2019.
In November 2021 Meta attributed Acting threats agreed by Pakistan Side jar -The to be a substation within the transparent tribe-for the use of a pelbrate and a pogrom within high-level attacks aimed at people in Afghanistan, in particular those who have connections with the government, military and law enforcement agencies.
“This group has created fictitious characters – usually young women – like romantic baits to build trust with potential goals and cheat them on phishing links or download malicious chat applications,” said meta at the time.
PJobrat is equipped with metadaded devices, contacts, text messages, call logs, location information and media files on your device or connected by an external repository. It is also able to abuse its accessibility permits for scraping the content on the device screen.
Telemetry data collected by Sophos show that the latest company has prepared its sights on Taiwanese Android users using malicious apps for the nickname Sangaalthite and Cchat to activate the sequence of infection. They say they were available to download from several WordPress sites, and the earliest artifact dating from January 2023.
The cybersecurity campaign ended or at least stopped, in October 2024, that is, it has been in operation for almost two years. Given this, the number of infections was relatively small, indicating a purposeful nature. Android packages are below – given below –
- org.complexy.hard
- com.happyho.app
- sa.aangal.lite
- Net.over.simple
It is currently unknown how the victims were cheated on visiting these sites, though, if previous companies are indications, it probably has an element of social engineering. After installing the application, they require intrusive permits that allow you to collect data and start continuous in the background.
“The application has the main functionality of the chat, allowing users to register, enter and communicate with other users (yes, theoretically, infected users could report each other if they knew each other’s users’ identifiers),” Kohli said. “They also check team servers and control (C2) on updates, allowing the actor threatening to install malicious programs.”
Unlike the previous versions of PJOBrat, containing the ability to steal WhatsApp messages, the last aroma takes another approach by including the new Shell team running. Not only allows the attackers, probably the CHATS WhatsApp siphon, but we also carry out more control over contaminated phones.
Another update concerns the command and control mechanism (C2), and malicious software now uses two different approaches using HTTP to download victim data and Firebase cloud messages (messaging (messagingFcm) To send Shell commands as well as information about exfiltrate.
“Although this particular company may end, it is a good illustration that the threat subjects are often overcome and redirected after the initial company – making improvements in their malware and adjusting their approach – before you hit again,” Kohli said.
