Description : Cybersecurity research reveals a new Android malware named Wpeeper that uses compromised WordPress sites as relays for command-and-control (C2) servers to evade detection.
United States - Cybersecurity researchers have discovered a previously undocumented malware targeting Android devices that uses compromised WordPress sites as relays for its actual command-and-control (C2) servers for detection evasion.
This sophisticated malware, known as Wpeeper, operates through a multi-tier architecture that cleverly hides its true C2 infrastructure.
The Wpeeper Malware
The malware, codenamed Wpeeper, is an ELF binary that leverages the HTTPS protocol to secure its C2 communications. According to researchers from the QiAnXin XLab team, Wpeeper functions as a typical backdoor Trojan for Android systems.
Read More:
It supports various malicious activities such as collecting sensitive device information, managing files and directories, and executing remote commands.
"Wpeeper is a typical backdoor Trojan for Android systems, supporting functions such as collecting sensitive device information, managing files and directories, uploading and downloading, and executing commands," the QiAnXin XLab team noted.
The ELF binary is embedded within a repackaged application that pretends to be the UPtodown App Store app for Android (package name "com.uptodown"). This APK file serves as a delivery mechanism for the backdoor, making it difficult to detect.
Repackaged Applications and Detection Evasion
The discovery of Wpeeper came after the QiAnXin XLab team detected an artifact with zero detection on VirusTotal on April 18, 2024. Remarkably, the malware campaign was abruptly terminated just four days later.
The use of the Uptodown App Store app in this context reveals a strategy to exploit a legitimate third-party app marketplace, deceiving users into installing the malicious software.
According to data on Android-apk.org, the trojanized version of the app (version 5.92) has been downloaded 2,609 times to date. This approach underscores the malware's strategy of leveraging trusted app marketplaces to increase its reach and impact.
How Wpeeper Operates
Wpeeper relies on a multi-tier C2 architecture that utilizes compromised WordPress sites as intermediaries to obscure its true C2 servers. Researchers have identified up to 45 C2 servers associated with this infrastructure, with nine hard-coded into the malware samples.
Interested:
These hard-coded servers act as C2 redirectors, forwarding the bot's requests to the actual C2 servers, thereby shielding the real C2 infrastructure from detection.
"These [hard-coded servers] are not C2s but C2 redirectors -- their role is to forward the bot's requests to the real C2, aimed at shielding the actual C2 from detection," the researchers explained.
This method indicates that some of the hard-coded servers may be directly controlled by the attackers, given the risk of losing access to the botnet if WordPress site administrators become aware of the compromise and take corrective action.
Capabilities and Risks of Wpeeper
The commands received from the C2 server enable the malware to perform various malicious activities, including:
- Collecting device and file information
- Listing installed applications
- Updating the C2 server list
- Downloading and executing additional payloads from the C2 server or other URLs
- Self-deletion
The exact goals and scale of the Wpeeper campaign remain unclear. However, the sneaky method of using compromised WordPress sites to hide C2 servers suggests an intent to increase the malware's installation numbers and subsequently reveal its capabilities.
Preventive Measures and Recommendations
To mitigate the risks posed by malware like Wpeeper, users should adhere to the following guidelines:
- Install apps only from trusted sources: Ensure that applications are downloaded from reputable app stores or sources.
- Scrutinize app reviews and permissions: Before installing any app, check its reviews and the permissions it requests to identify any potential red flags.
Google's Response and Protections
Following the publication of this story, a Google spokesperson provided the following statement:
"Based on our current detection, no apps containing this malware are found on Google Play. Android users are automatically protected against known versions of this malware by Google Play Protect, which is on by default on Android devices with Google Play Services.
Google Play Protect can warn users or block apps known to exhibit malicious behavior, even when those apps come from sources outside of Play."
Don't Miss: