Threat actors are constantly using new tricks and tactics to target users across the globe. This blog is about the spyware PJobRAT targeting Indian users by disguising as dating and instant messaging apps. The initial vector information was found on Twitter.  This RAT disguises as famous Indian dating applications like Trendbanter, Rita, Ponam and instant messaging applications like SignalLite and HangOn.

Let us analyse one of the famous dating application “Trendbanter”.

Figure 1: Trendbanter App

Once installed the “Trendbanter” APK disguises as a legitimate WhatsApp app icon in the app drawer to trick the user to open the app, however the app’s internal appinfo shows the original app name, “TrendbanterNew”as shown in Figure 2.

Figure 2: Fake WhatsApp Icon created by Trendbanter

It then proceeds to set “android:debuggable=true” from the AndroidManifest.xml, which makes it easier for the threat actor to access the application data and can even run arbitrary code under that application permission. as shown in Figure 3.

Figure 3: Debuggable app permission from AndroidManifest.xml

Upon execution, the installed app’s device gets registered with Firebase C&C with the following details such as ipaddr, rip (remote ip), manufacturer’s name, phone model, OS version, IMEI, phone number and location information as shown in Figure 4.

Figure 4: Register Device Details with Firebase C&C

PJobRAT then proceeds to abuse the Android Accessibility Service to steal WhatsApp messages and contacts as shown in Figure 5.

Figure 5: Steals data from WhatsApp
Figure 6: Steals contact Information

PJobRAT uses two modes of communication.

Mode 1

To establish a C&C channel this malware uses the Firebase Cloud Messaging (FCM) which is a mobile application development platform that allows threat actors to send instructions from the server to the client using the PUSH message function. This allows the threat actor to trigger and execute RAT commands by PUSH notification.

Figure 7: Firebase Cloud Message Communication 

The C&C commands list is as shown in Figure 8.

Figure 8: RAT commands

Mode 2

Else, this Trojan then uploads harvested files to the remote server via a HTTP request.

Figure 9: Uploading the collected information to the server

This RAT also searches for the files having the extensions  .pdf,  .doc,  .docx,  .xls,  .xlsx,  .ppt,  .pptx, to upload to the C&C Server as shown in Figure 10.

Figure 10: Uploading files to C&C server

Also collects the following information from the victims’ device and uploads it to the server:

Address book
Audio files
Image files
List of available files in external storage
List of installed Apps
Phone number
SMS information
Video files
WIFI and Geo information

At K7, we protect all our customers from such threats. Do ensure that you protect your mobile devices with a reputable security product like K7 Mobile Security and also regularly update and scan your devices with it. Keep your security product and devices updated and patched for the latest vulnerabilities.

Indicators of Compromise (IoCs)

Package NameHashK7 Detection Name
dev.example.trendbanternew7bef7a2a6ba1b2aceb84ff3adb5db8b3Trojan ( 0001140e1 )
si.test.hangonv4ea53c74fa923edce0fa5919d11f945bccTrojan ( 0057e1961 ) ( 0057d96f1 )
si.test.hangonv4e4ce92da8928a8d1d72289d126a9fe2f4Spyware ( 0057d96f1 ) ( 0057d96f1 )
com.simple.ppapp807668ed4b3bd090a3b5fb57e742be0dTrojan ( 0001140e1 ) ( 0057d96f1 )
com.test.piclock02998ab92e880db2a1ddbc98f448d828Trojan ( 0001140e1 )






Defense EvasionApplication DiscoveryObfuscated Files or Information
Credential AccessCapture SMS MessagesAccess Stored Application Data
DiscoverySystem Network Connections DiscoverLocation TrackingApplication DiscoverySystem Information DiscoveryProcess Discovery
CollectionLocation TrackingCapture AudioNetwork Information DiscoveryCapture SMS MessagesAccess Stored Application Data
Command and ControlEncrypted ChannelNon-Standard Port
Network EffectsEavesdrop on Insecure Network Communication

Like what you're reading? Subscribe to our top stories.

If you want to subscribe to our monthly newsletter, please submit the form below.

    0 replies on “PJobRAT – Spyware in Guise”