Hackers Target Indian Military with Spyware Loaded in Dating and Communication Apps

News Credit: Cyware

An active spyware campaign has been discovered that is mainly targeting Indian military personnel. The spyware campaign has been active since January and detected in dating and instant messaging apps. According to researchers, the recent version of PJobRAT spyware was first observed in December 2019.

What has happened?

Cyble and 360 Core Security Lab have recently detected the PJobRAT spyware and claimed that the spyware samples are disguised as Android dating apps.

  • During their investigation, researchers detected that this recent variant is disguising as a dating app known as Trendbanter, as well as the Signal app, for non-resident Indians.
  • In some of the cases, the spyware mimics other apps to fool unsuspecting users, such as HangOn, SignalLite, Rita, and Ponam.
  • Moreover, through third-party app stores and other mediums, including malicious URLs and SMS, the attackers had accomplished their propagation goals in which they distributed multiple spyware.
  • To hide in the app list, it imitates WhatsApp or any legitimate-looking app. However, the most unusual thing is that it doesn’t even have the exact icon shown in the app store with the installed one.

About PJobRAT 

The researchers who detected the recent operation did not link it to any of the hacker groups currently. However, the specific nature of the targets hint at China- or Pakistan-based actors.

  • PJobRAT exfiltrates .pdf, .doc, .docx, .xls, .xlsx, .ppt, and .pptx files from the infected devices. It uploads address books, SMS, audio files, video files, and image files. 
  • Additionally, it uploads a list of installed apps, WiFi/GPS information, geographic location, external storage files, phone number, WhatsApp contacts/messages, and recording via the mic or camera.

Conclusion

According to recent findings, the attackers behind this spyware are not sophisticated ones since their private servers are accessible publicly where they are holding the exfiltrated data. However, it doesn’t undermine the fact that it is still active and poses a danger to unsuspecting users.