Fake Chat Apps: Malware That Targeted Indian Military Personnel Returns, Mimicking Messaging Platforms

A malware that impersonated different instant messaging and dating apps in order to target Indian military personnel in 2021 has apparently resurfaced and seems to be targeting users by faking as chat apps in a new campaign.

PJobRAT, an Android RAT (remote access trojan) that was initially discovered in 2019, has been identified by cybersecurity company Sophos masquerading as instant messaging apps in the most recent campaign. Sophos said that PJobRAT can steal SMS messages, phone contacts, device and app information, documents, and media files from infected Android devices.

Notably, RATs are malware made to give an attacker remote control over a compromised system. The attacker can send commands to the RAT and get data back once it is operating on a compromised system. 

Among the fake apps identified were “SangaalLite,” which might be mimicking “SignalLite,” an app that was used in the 2021 malware campaign. Another is “CChat,” which was a spoof of a genuine app of the same name that was previously available on Google Play.

The applications could be downloaded from a number of WordPress websites. Although the domains hosting the malware were registered as early as April 2022, the earliest sample was first observed in January 2023, and the most recent was from October 2024. 

The malware campaign lasted for at least 22 months, and now appears to be over since there has been no recent activity, Sophos said. So far, the campaign had mostly targeted users in Taiwan.

Threat actors who ran earlier PJobRAT attacks employed various tactics, including shortened links to conceal final URLs, phony personae to trick users into clicking on links or downloading the disguised apps, third-party app stores, compromised websites to host phishing pages, and even links to the malicious apps on military forums.

While the earlier campaign carried out WhatsApp message theft, the recent version enables shell commands to be run. This significantly expands the malware’s capabilities and gives the threat actor far more influence over the victims’ mobile devices.

According to Sophos, this may allow attackers to steal data—including WhatsApp data—from any app on the device, root the device itself, use the victim’s device to infiltrate other systems on the network, and even quietly delete the malware after their goals have been met.

While this campaign may be over, it serves as an example of how threat actors frequently retool and retarget following an initial campaign, improving their malware and changing their strategy before launching another attack.

Sophos advised Android users to refrain from installing apps from links in emails, texts, or any unreliable communication, and utilise a mobile threat detection app to protect themselves from such dangers.