Indian Military Personnel Targeted by ‘PJobRAT’ Spyware Mimicking Dating Apps

  • An unknown actor is spreading fake dating apps on military forums, targeting Indian personnel.
  • The apps use the names “Trendbanter,” “HangOn,” “SignalLite,” “Rita,” and “Ponam,” but they’re all the same spyware.
  • The functions of PJobRAT include stealing images and video, SMS, contact lists, documents, GPS data, and more.

Researchers at the 360 Core Security Lab have sampled a recent version of the PJobRAT, a spyware that has been around since at least December 2019. In its newest iterations, it appears to be disguised as an Indian dating and instant messaging app under the name “Trendbanter.” In other cases, the actors imitate “HangOn,” “SignalLite,” “Rita,” and “Ponam.” According to the researchers, the current campaign, which targets mainly Indian military personnel, has been active since January 2021, so it’s been several months already.

Source: blogs.360.cn

The spyware is being distributed via third-party app stores and not the Play Store, and it’s promoted as a platform meant to bring single Indians living abroad together. The weird stuff starts immediately after its installation, as the icon displayed on the device rarely matches the one shown in the app store. Instead, it mimics WhatsApp or something else, trying to hide in the apps list.

Function-wise, PJobRAT exfiltrates documents of the pdf, doc, docx, xls, xlsx, ppt, and pptx types, and can also obtain private data from apps like WhatsApp, including conversation messages and contact lists.

Here is the complete list of the spyware’s functions:

  • Upload address book
  • Upload SMS
  • Upload audio files
  • Upload video file
  • Upload image file
  • Upload a list of installed apps
  • Upload a list of external storage files
  • Upload WIFI
  • Upload geographic location
  • Update phone number
  • Recording via the mic or camera

No matter what app name and icon is used, the spyware remains the same in terms of its code and also communicates with the same infrastructure. Interestingly, the researchers found that the private server which receives the exfiltrated data is publicly accessible, which is a clear indication of the carelessness of the actors.

Source: blogs.360.cn

The 360 Core Security team cannot attribute this campaign to anyone with certainty. Still, considering that the actor's goal appears to be spying on Indian military personnel, the actors could be Chinese or Pakistani hackers.

Hooking army personnel through dating and IM apps is not unusual at all, as it seems to be working very well in this context. Back in February 2020, we saw Hamas hackers deploying the same trick against Israeli soldiers, convincing them to voluntarily download powerful spyware on their phones - which then accessed camera, GPS, SMS data, browser history, and even calendar entries.

Latest
How to Watch Shetland Season 7 Online From Anywhere
Shetland is back to answer all of the questions that left us hanging at the end of the last series, and you...
Real Madrid Vs Eintracht Frankfurt Live Stream: How to Watch UEFA Super Cup Final Online From Anywhere
The new soccer season is upon us, which means it is time for the UEFA Super Cup Final. Played between the previous...
How to Watch I Am Groot Online On Disney Plus
Marvel's I Am Groot is almost here, which means Marvel fans need to add one more show to their watchlist this summer. We...
For a better user experience we recommend using a more modern browser. We support the latest version of the following browsers: For a better user experience we recommend using the latest version of the following browsers: Chrome, Edge, Firefox, Safari
[class^="wpforms-"]
[class^="wpforms-"]