During our regular threat hunting exercises, Cyble researchers discovered that threat actors are employing new attack vectors to target users belonging to different sectors across the world. Based on a blog by 360 Core Security, we observed PJobRAT spyware samples disguised as genuine dating and instant-messaging apps.
Our research was in line with the findings of 360 Core Security, and we found the spyware disguising as a famous dating app for Non-resident Indians called Trendbanter and an instant messaging app called Signal. PJobRAT is a variant of spyware that disguises as a dating app or an instant messaging app. It collects information such as contacts, SMSes, and GPS data. This RAT family first appeared in December 2019. PJobRAT is named after the structure of its code, which involves functions called ‘startJob’ or ‘initJob’ that initiate the malicious activity.
Based on a post on Twitter, the Cyble Research team came to know of 8 associated samples of the variant.
Figure 1: Trendbanter App
The malicious apps were seen using legitimate-looking icons of the genuine Trendbanter and Signal apps.
Figure 2: Malware Impersonating as Trendbanter and Signal Apps
Upon further analysis, we found that PJobRAT is being displayed as a legitimate-looking WhatsApp icon on the device’s home screen. However, the settings page clearly reveals the Trendbanner icon of the PJobRAT spyware app.
Figure 3 PJobRAT Spyware App Tricks Users with WhatsApp Icon
Technical Analysis
All the associated samples of PJobRAT have dangerous permissions for spying on the victim’s device. The application collects personally identifiable information (PII) available in the victim’s device without the user’s knowledge and uploads the same to a C&C server. The malicious activity starts immediately after the user starts the application. As showcased in figure 3, the application uses icons of legitimate apps to hide itself from the home screen.
Dangerous Permissions
android.permission.READ_CONTACTS
android.permission.READ_SMS
android.permission.RECORD_AUDIO
android.permission.ACCESS_FINE_LOCATION
android.permission.READ_EXTERNAL_STORAGE
android.permission.GET_ACCOUNTS
android.permission.BIND_ACCESSIBILITY_SERVICE
The PJobRAT starts the malicious activity as soon as the user clicks on the application icon. The activity is initiated using initJobs function from the application subclass that gets executed when the application starts, as shown in Figure 4.
Figure 4: Jobs Initiated in Applications Subclass
The image below showcases the code through which sensitive PII is collected by the PJobRAT, along with the process initiated by the Android JobService.
Figure 5 Initiating Different Jobs to Collect PII data
The following image shows the code that harvests the victim’s Contact List information from the Address Book.
Figure 6 Contact List Collected from Address Book
As shown in Figure 7, the application collects selective documents with specific suffixes and uploads it to the C&C server.
Figure 7 Filters for Specific Document Format
The application also collects all the media files such as audio, video, and images available in the device, as shown in Figure 8.
Figure 8 Collect media files such as Audio, Video, and Images
PJobRAT also uses the BIND_ACCESSIBILITY_SERVICE to hook the Android window for reading the information associated with WhatsApp such as WhatsApp contacts and messages, as shown in Figure 9.
Figure 9 Reading and Collecting WhatsApp Data
Communication Details
Our research indicates that PJobRAT uses two modes of communication, Firebase Cloud Messaging (FCM) and HTTP. The application receives commands from Firebase, as shown in Figure 10.
Figure 10 Firebase Interaction to receive Commands
Figure 11 depicts the code with which the application uploads the collected data using HTTP to the C&C server.
Figure 11 Uploading the Data using HTTP
Retrofit is another library that is used by some of the samples of PJobRAT for uploading user data.
Figure 12 Retrofit for C&C server Communication
Our analysis shows that PJobRAT uploads the following information from the victim device to the C&C server:
- Contacts information
- SMSes
- Audio and video files
- List of installed applications
- List of external storage files
- Documents such as PDFs, Excel, and DOC files
- WiFi and GPS information
- WhatsApp contacts and messages
All of the analyzed samples have the same code format and communicate with the same C&C server URLs. The C&C URLs are mentioned in the below table.
PJobRAT C&C URLs
| # | Digest (SHA256) | Package name | Upload URL |
| 1 | 5c715ca910ffbd80189cffd2705a5346f40bc466458e0223191d56be5a417c7b | com.company.test | hxxp://144.91.65[.]101/senewteam2136/mainfiles/file_handler.php |
| 2 | e8f9b778b87cef1d767a77cb99401875ffdbcc85b345f31a4b4e1b7003218f3f | com.test.piclock | hxxp://144.91.65[.]101/senewteam2136/mainfiles/file_handler.php |
| 3 | 80baa403def61ad0c7ba712595a90a44049464341de0d880c57823dbe9d27c94 | si.test.hangonv4e | hxxp://gemtool.sytes[.]net:9863/shfppdlslfz_5699_hqp2o0o-3cMV/sjdf578hj_p-lm235_za0Oo-q/sjdf0oO2hq877pnzxii_iioOiupXxw[.]php |
| 4 | 04366d01542cba82787433d0d565c13b227a08fc6657bcb34269de48e452543a | dev.example.trendbanternew | hxxp://gemtool.sytes[.]net:9863/shfppdlslfz_5699_hqp2o0o-3cMV/sjdf578hj_p-lm235_za0Oo-q/sjdf0oO2hq877pnzxii_iioOiupXxw[.]php |
| 5 | 34021375c1720620093699fd98ca2a2856ef4c77f42ff5c8fb02ad194817a235 | org.company.hangonv3 | hxxp://gemtool.sytes[.]net:9863/shfppdlslfz_5699_hqp2o0o-3cMV/sjdf578hj_p-lm235_za0Oo-q/sjdf0oO2hq877pnzxii_iioOiupXxw[.]php |
| 6 | 41576737cd3d9f1e04ca0b7d49b412ecc935da78b2ea007c92b84d85012b011e | com.company.hangon | hxxp://gemtool.sytes[.]net:9863/shfppdlslfz_5699_hqp2o0o-3cMV/sjdf578hj_p-lm235_za0Oo-q/sjdf0oO2hq877pnzxii_iioOiupXxw[.]php |
| 7 | c9db17ede3177c6fd13fa90259733dbca9be8fbd43f0059efd6ec35acbda2b48 | si.test.hangonv4e | hxxp://gemtool.sytes[.]net:9863/shfppdlslfz_5699_hqp2o0o-3cMV/sjdf578hj_p-lm235_za0Oo-q/sjdf0oO2hq877pnzxii_iioOiupXxw[.]php |
| 8 | f491e27644a85915a1f92314c20e9fc63337a019f9463d34df262699d0a8a7ee | com.simple.ppapp | hxxps://helloworld.bounceme.net/axbxcxdx123/test[.]php |
Based on speculations by 360 Core Security, the PJobRAT spyware is allegedly targeting military professionals using dating apps and instant messaging apps. In the past, military personnel have been victims of social engineering campaigns launched by crafty cybercriminals. In addition, as a result of the latest privacy policy update by WhatsApp, the use of the Signal app has increased in India. We suspect that the threat actor has leveraged this situation as an opportunity to deliver malicious applications. The Cyble research team is actively monitoring this campaign and any activity around PJobRAT spyware.
Safety Recommendations:
- Keep your anti-virus software updated to detect and remove malicious software.
- Keep your system and applications updated to the latest versions.
- Use strong passwords and enable two-factor authentication.
- Download and install software only from trusted sites.
- Verify the privileges and permissions requested by apps before granting them access.
- People concerned about the exposure of their stolen credentials in the dark web can register at AmiBreached.com to ascertain their exposure.
MITRE ATT&CK® Techniques- for Mobile
| Tactic | Technique ID | Technique Name |
| Defense Evasion | T1406, T1418 | Obfuscated Files or Information Application Discovery |
| Credential Access | T1412, T1409 | Capture SMS Messages Access Stored Application Data |
| Collection | T1429, T1507, T1432, T1430, T1412, T1409 | Capture Audio Network Information Discovery Access Contact List Location Tracking Capture SMS Messages Access Stored Application Data |
| Command and Control | T1573, T1571 | Encrypted Channel Non-Standard Port |
| Discovery | T1421, T1418, T1426, T1424 | System Network Connections Discovery Application Discovery System Information Discovery Process Discovery |
| Impact | T1447 | Delete Device Data Carrier Billing Fraud |
Indicators of Compromise (IoCs):
| IOCs | IOC type |
| 5c715ca910ffbd80189cffd2705a5346f40bc466458e0223191d56be5a417c7b | SHA256 |
| e8f9b778b87cef1d767a77cb99401875ffdbcc85b345f31a4b4e1b7003218f3f | SHA256 |
| 80baa403def61ad0c7ba712595a90a44049464341de0d880c57823dbe9d27c94 | SHA256 |
| 04366d01542cba82787433d0d565c13b227a08fc6657bcb34269de48e452543a | SHA256 |
| 34021375c1720620093699fd98ca2a2856ef4c77f42ff5c8fb02ad194817a235 | SHA256 |
| 41576737cd3d9f1e04ca0b7d49b412ecc935da78b2ea007c92b84d85012b011e | SHA256 |
| c9db17ede3177c6fd13fa90259733dbca9be8fbd43f0059efd6ec35acbda2b48 | SHA256 |
| f491e27644a85915a1f92314c20e9fc63337a019f9463d34df262699d0a8a7ee | SHA256 |
| hxxp://144.91.65[.]101/senewteam2136/ | Interesting URL |
| hxxps://helloworld.bounceme[.]net/axbxcxdx123/ | Interesting URL |
| hxxp://gemtool.sytes[.]net:9863/shfppdlslfz_5699_hqp2o0o-3cMV/sjdf578hj_p-lm235_za0Oo-q/ | Interesting URL |
| 144.91.65[.]101 | Suspicious IP |
About Cyble
Cyble is a global threat intelligence SaaS provider that helps enterprises protect themselves from cybercrimes and exposure in the darkweb. Cyble’s prime focus is to provide organizations with real-time visibility into their digital risk footprint. Backed by Y Combinator as part of the 2021 winter cohort, Cyble has also been recognized by Forbes as one of the top 20 Best Cybersecurity Startups To Watch In 2020. Headquartered in Alpharetta, Georgia, and with offices in Australia, Singapore, and India, Cyble has a global presence. To learn more about Cyble, visit www.cyble.com.
Comments are closed.