{ "id": "4c83ca9a-72c8-47e0-86b4-08aebe0e81b7", "created_at": "2026-04-06T00:11:27.399043Z", "updated_at": "2026-04-10T13:12:41.37603Z", "deleted_at": null, "sha1_hash": "66dc3663819e2735efef5d70bdb563192c7a8eb4", "title": "PJobRAT – Spyware in Guise", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 1203082, "plain_text": "PJobRAT – Spyware in Guise\r\nPublished: 2021-07-12 · Archived: 2026-04-05 21:21:35 UTC\r\nThreat actors are constantly using new tricks and tactics to target users across the globe. This blog is about the\r\nspyware PJobRAT targeting Indian users by disguising as dating and instant messaging apps. The initial\r\nvector information was found on Twitter.  This RAT disguises as famous Indian dating applications like\r\nTrendbanter, Rita, Ponam and instant messaging applications like SignalLite and HangOn.\r\nLet us analyse one of the famous dating application “Trendbanter”.\r\nFigure 1: Trendbanter App\r\nOnce installed the “Trendbanter” APK disguises as a legitimate WhatsApp app icon in the app drawer to trick the\r\nuser to open the app, however the app’s internal appinfo shows the original app name, “TrendbanterNew”as\r\nshown in Figure 2.\r\nhttps://labs.k7computing.com/?p=22537\r\nPage 1 of 8\n\nFigure 2: Fake WhatsApp Icon created by Trendbanter\r\nIt then proceeds to set “android:debuggable=true” from the AndroidManifest.xml, which makes it easier for the\r\nthreat actor to access the application data and can even run arbitrary code under that application permission. as\r\nshown in Figure 3.\r\nFigure 3: Debuggable app permission from AndroidManifest.xml\r\nUpon execution, the installed app’s device gets registered with Firebase C\u0026C with the following details such as\r\nipaddr, rip (remote ip), manufacturer’s name, phone model, OS version, IMEI, phone number and location\r\ninformation as shown in Figure 4.\r\nFigure 4: Register Device Details with Firebase C\u0026C\r\nhttps://labs.k7computing.com/?p=22537\r\nPage 2 of 8\n\nPJobRAT then proceeds to abuse the Android Accessibility Service to steal WhatsApp messages and contacts as\r\nshown in Figure 5.\r\nFigure 5: Steals data from WhatsApp\r\nhttps://labs.k7computing.com/?p=22537\r\nPage 3 of 8\n\nFigure 6: Steals contact Information\r\nPJobRAT uses two modes of communication.\r\nMode 1\r\nTo establish a C\u0026C channel this malware uses the Firebase Cloud Messaging (FCM) which is a mobile\r\napplication development platform that allows threat actors to send instructions from the server to the client using\r\nthe PUSH message function. This allows the threat actor to trigger and execute RAT commands by PUSH\r\nnotification.\r\nhttps://labs.k7computing.com/?p=22537\r\nPage 4 of 8\n\nFigure 7: Firebase Cloud Message Communication \r\nThe C\u0026C commands list is as shown in Figure 8.\r\nFigure 8: RAT commands\r\nMode 2\r\nElse, this Trojan then uploads harvested files to the remote server via a HTTP request.\r\nFigure 9: Uploading the collected information to the server\r\nThis RAT also searches for the files having the extensions  .pdf,  .doc,  .docx,  .xls,  .xlsx,  .ppt,  .pptx, to upload to\r\nthe C\u0026C Server as shown in Figure 10.\r\nhttps://labs.k7computing.com/?p=22537\r\nPage 5 of 8\n\nFigure 10: Uploading files to C\u0026C server\r\nAlso collects the following information from the victims’ device and uploads it to the server:\r\nAddress book\r\nAudio files\r\nImage files\r\nList of available files in external storage\r\nList of installed Apps\r\nPhone number\r\nSMS information\r\nVideo files\r\nWIFI and Geo information\r\nAt K7, we protect all our customers from such threats. Do ensure that you protect your mobile devices with a\r\nreputable security product like K7 Mobile Security and also regularly update and scan your devices with it. Keep\r\nyour security product and devices updated and patched for the latest vulnerabilities.\r\nIndicators of Compromise (IoCs)\r\nPackage Name Hash K7 Detection Name\r\n     \r\ndev.example.trendbanternew 7bef7a2a6ba1b2aceb84ff3adb5db8b3 Trojan ( 0001140e1 )\r\nsi.test.hangonv4e a53c74fa923edce0fa5919d11f945bcc Trojan ( 0057e1961 )\r\nhttps://labs.k7computing.com/?p=22537\r\nPage 6 of 8\n\ncom.company.hangon 9fd4b37cbaf0d44795319977118d439d\r\nSpyware (\r\n0057d96f1 )\r\nsi.test.hangonv4e 4ce92da8928a8d1d72289d126a9fe2f4\r\nSpyware (\r\n0057d96f1 )\r\ncom.company.test 44cd76e590a1c8f0b8a2091884d9f699\r\nSpyware (\r\n0057d96f1 )\r\ncom.simple.ppapp 807668ed4b3bd090a3b5fb57e742be0d Trojan ( 0001140e1 )\r\norg.company.hangonv3 794b7c523bdf3dc38689209e1abb6dbc\r\nSpyware (\r\n0057d96f1 )\r\ncom.test.piclock 02998ab92e880db2a1ddbc98f448d828 Trojan ( 0001140e1 )\r\nC2\r\nhxxp://gemtool.sytes[.net:9863 \r\nhxxps://helloworld[.bounceme.net\r\nhxxp://144.[91.65[.101\r\nMITRE ATT\u0026CK\r\nTactics Techniques\r\n   \r\nDefense\r\nEvasion\r\nApplication DiscoveryObfuscated Files or Information\r\nCredential\r\nAccess\r\nCapture SMS MessagesAccess Stored Application Data\r\nDiscovery\r\nSystem Network Connections DiscoverLocation TrackingApplication\r\nDiscoverySystem Information DiscoveryProcess Discovery\r\nCollection\r\nLocation TrackingCapture AudioNetwork Information DiscoveryCapture\r\nSMS MessagesAccess Stored Application Data\r\nCommand and\r\nControl\r\nEncrypted ChannelNon-Standard Port\r\nNetwork Effects Eavesdrop on Insecure Network Communication\r\nhttps://labs.k7computing.com/?p=22537\r\nPage 7 of 8\n\nSource: https://labs.k7computing.com/?p=22537\r\nhttps://labs.k7computing.com/?p=22537\r\nPage 8 of 8", "extraction_quality": 1, "language": "EN", "sources": [ "Malpedia" ], "origins": [ "web" ], "references": [ "https://labs.k7computing.com/?p=22537" ], "report_names": [ "?p=22537" ], "threat_actors": [], "ts_created_at": 1775434287, "ts_updated_at": 1775826761, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/66dc3663819e2735efef5d70bdb563192c7a8eb4.pdf", "text": "https://archive.orkl.eu/66dc3663819e2735efef5d70bdb563192c7a8eb4.txt", "img": "https://archive.orkl.eu/66dc3663819e2735efef5d70bdb563192c7a8eb4.jpg" } }