PJobRAT¶
PJobRAT is an Android RAT built for targeted espionage against military and government personnel. First documented in 2021 when it was deployed against Indian military targets through fake dating and messaging apps, the malware went quiet before Sophos X-Ops identified a retooled campaign in March 2025 that had been running from January 2023 through October 2024, this time targeting users in Taiwan. The new variant dropped the WhatsApp-scraping module from the original version and replaced it with a remote shell capability, expanding the operator's reach from predefined data theft to arbitrary command execution on the victim device. PJobRAT uses a dual-channel C2 architecture: HTTP for data exfiltration and Firebase Cloud Messaging for command dispatch.
Overview¶
| Attribute | Details |
|---|---|
| First Seen | 2021 (India campaign); January 2023 (Taiwan campaign) |
| Last Seen | October 2024 (Taiwan campaign ceased) |
| Status | Inactive (latest campaign); likely retooling |
| Type | Remote Access Trojan, espionage |
| Attribution | Unknown, possibly state-aligned; original campaign suggested Chinese or Pakistani origin |
| Distribution | Fake messaging apps hosted on WordPress sites |
Origin and Lineage¶
PJobRAT has no known derivation from public RAT builders or leaked source code. The original 2021 variant targeted Indian military personnel through apps disguised as dating platforms (Trendbanter) and Signal clones. Cyble's initial analysis revealed the malware used BIND_ACCESSIBILITY_SERVICE to hook into WhatsApp's UI and extract contacts and messages directly. The 2021 campaign infrastructure and app distribution pointed toward actors with interest in Indian defense intelligence, with researchers suggesting Chinese or Pakistani origin.
The 2023-2024 Taiwan campaign represents a significant retooling. Sophos documented that the new variant removed the dedicated WhatsApp-stealing module entirely, replacing it with a general-purpose shell command capability. This shift from hardcoded data targets to flexible command execution reflects an operator prioritizing adaptability over specialized collection.
Unlike commodity RATs such as SpyNote that are openly sold and widely deployed, PJobRAT appears to be a private tool used in narrow, targeted campaigns with long operational windows.
Distribution¶
PJobRAT's Taiwan campaign distributed malware through fake instant messaging apps hosted on WordPress sites. The operator created convincing app listings rather than relying on Play Store infiltration or smishing at scale.
| Vector | Details |
|---|---|
| SangaalLite | Fake messaging app, name likely mimicking "SignalLite," hosted on WordPress sites |
| CChat | Impersonation of a legitimate chat app with the same name, also WordPress-hosted |
| WordPress infrastructure | Multiple WordPress sites served as download portals, earliest artifact from January 2023 |
Attack Flow¶
- Target discovers a WordPress-hosted page advertising SangaalLite or CChat as a messaging app
- Target downloads and installs the APK from the WordPress site
- The app requests extensive permissions including accessibility services, battery optimization exemption, and storage access
- PJobRAT begins collecting device metadata, contacts, SMS, call logs, and location data
- Collected data is exfiltrated to the C2 server over HTTP
- The operator sends shell commands via Firebase Cloud Messaging to execute arbitrary actions
- The operator can extract files (documents, images, audio, video), scrape screen content, or pivot further into the device
The campaign ran for nearly two years (January 2023 to October 2024) before going silent. All identified victims were located in Taiwan.
Capabilities¶
Core Features¶
| Capability | Implementation |
|---|---|
| Device metadata collection | Harvests device model, OS version, IMEI, carrier info, and installed apps |
| Contact exfiltration | Extracts the full contact list from the device |
| SMS theft | Reads and uploads all SMS messages |
| Call log access | Collects complete call history |
| Location tracking | Captures GPS coordinates |
| File exfiltration | Uploads documents (.doc, .pdf), images, audio, and video from device and external storage |
| Screen scraping | Abuses accessibility services to read on-screen content from any app |
| Remote shell | Executes arbitrary shell commands received via FCM |
| Background persistence | Requests battery optimization exemption to maintain continuous operation |
Dual-Channel C2¶
PJobRAT splits its C2 communication across two channels:
| Channel | Purpose |
|---|---|
| HTTP | Uploads stolen data (device info, SMS, contacts, files) to the C2 server |
| Firebase Cloud Messaging | Receives commands from the operator, including shell commands and exfiltration directives |
This separation keeps command traffic within Google's legitimate FCM infrastructure, making it harder to detect at the network level. Data exfiltration flows over standard HTTP to attacker-controlled servers.
Evolution from 2021 to 2024¶
| Feature | 2021 Version | 2024 Version |
|---|---|---|
| WhatsApp theft | Dedicated module using accessibility service hooks | Removed; replaced by shell command capability |
| Shell commands | Not present | Full remote shell via FCM |
| Distribution | Third-party app stores, dating app lures | WordPress-hosted fake messaging apps |
| Target region | India (military personnel) | Taiwan |
| C2 channels | HTTP + FCM | HTTP + FCM (unchanged) |
The shell command addition is the most significant upgrade. It allows the operator to extract WhatsApp databases (or any other app data) on demand, root the device if a local privilege escalation exists, pivot to other systems on the same network, and silently uninstall the malware after objectives are met.
Technical Details¶
Permissions Abuse¶
PJobRAT requests a broad set of permissions at install time:
| Permission | Purpose |
|---|---|
| BIND_ACCESSIBILITY_SERVICE | Screen scraping, reading content from any visible app |
| READ_CONTACTS, READ_SMS, READ_CALL_LOG | Data collection from contacts, messages, and call history |
| ACCESS_FINE_LOCATION | GPS tracking |
| READ_EXTERNAL_STORAGE | File access on device and SD card |
| REQUEST_IGNORE_BATTERY_OPTIMIZATIONS | Persistent background execution |
| CAMERA, RECORD_AUDIO | Media capture (present in permissions manifest) |
Firebase Cloud Messaging Integration¶
FCM serves as the command channel. The operator pushes commands to the infected device through Google's notification infrastructure. This approach has two tactical advantages: FCM traffic blends with normal Android push notification traffic, and the operator does not need to maintain a persistent connection to the device.
Target Regions¶
| Region | Campaign | Details |
|---|---|---|
| India | 2021 | Military personnel targeted via fake dating and messaging apps |
| Taiwan | 2023-2024 | Users targeted via WordPress-hosted fake chat apps (SangaalLite, CChat) |
The shift from India to Taiwan suggests either a change in operator priorities or the tool being repurposed by a different group with different intelligence requirements.
Notable Campaigns¶
2021: PJobRAT is first identified by Cyble and 360 Core Security Lab targeting Indian military personnel. The malware hides inside fake dating apps (Trendbanter) and Signal clones distributed through third-party app stores. It uses accessibility services to steal WhatsApp conversations directly from the screen.
January 2023: A retooled PJobRAT variant appears on WordPress-hosted sites offering SangaalLite and CChat downloads. The campaign targets Taiwanese users with a new version that replaces WhatsApp-specific theft with general shell command execution.
October 2024: The Taiwan campaign goes silent. No new samples or active C2 infrastructure are detected after this point.
March 2025: Sophos X-Ops publishes the full analysis of the Taiwan campaign, detailing the dual-channel C2 architecture, shell command capabilities, and WordPress-based distribution.
Related Families¶
PJobRAT occupies a niche similar to other targeted espionage tools rather than the commodity banking trojan ecosystem. Its closest functional parallels are state-aligned surveillance families like Pegasus and Predator, though PJobRAT operates at a far lower level of sophistication, requiring social engineering for installation rather than exploit chains.
The use of accessibility services for data scraping mirrors techniques found across the Android malware landscape, from banking trojans like Hook and Octo to other RATs like SpyNote. The difference is intent: where banking trojans use accessibility to perform overlay attacks and credential theft, PJobRAT uses it purely for intelligence collection.
PJobRAT's FCM-based command channel is a pattern also seen in SpyNote and other Android RATs, where leveraging Google infrastructure for C2 provides both reliability and network-level stealth.