Wpeeper Mobile Malware
Security analysts have unearthed a new type of malware aimed at Android devices. This malware, named Wpeeper, was previously unknown and employs compromised WordPress sites to mask its Command-and-Control (C2) server connections, making it harder to detect. Wpeeper operates as an ELF binary and utilizes HTTPS for secure communication with its C2 servers.
Wpeeper functions as a standard backdoor Trojan for Android, enabling various activities, including gathering sensitive device data, file and directory management, file transfers (uploading and downloading), and remote command execution.
Table of Contents
The Wpeeper Malware Infects Devices via Compromised Android Applications
The compromised ELF binary is concealed within a modified version of the UPtodown App Store application for Android (package name 'com.uptodown'), with the APK file serving as a carrier for the backdoor, designed to avoid detection.
The choice of the Uptodown App Store app for this campaign suggests an effort to camouflage a legitimate third-party app marketplace and deceive unsuspecting users into installing it. According to statistics from Android-apk.org, the compromised version of the app (5.92) has been downloaded 2,609 times so far.
The Wpeeper Malware Utilizes Complex Command-and-Control Architecture
Wpeeper employs a sophisticated C2 architecture that involves infected WordPress sites acting as intermediaries to obfuscate its genuine C2 servers. Up to 45 C2 servers have been identified within this infrastructure, with nine of them hardcoded into the samples to dynamically update the C2 list.
These hardcoded servers are not actual C2s but C2 redirectors — their purpose is to forward the bot's requests to the authentic C2, aiming to shield the genuine C2 from detection. This has also raised the concern that the attackers may directly control some of the hardcoded servers, as there is a risk of losing access to the botnet if WordPress site administrators become aware of the compromise and take corrective action.
Attackers can Perform Various Intrusive Actions on Infected Devices
Commands received from the C2 server enable the malware to gather device and file details, list installed applications, update the C2 server, download and run additional payloads from the C2 server or a specified URL, and self-remove.
The full objectives and scope of the campaign are currently unclear. Still, there are suspicions that this deceptive tactic may have been employed to boost installation figures and subsequently expose the malware's capabilities.
To minimize the dangers posed by such malware, it's crucial to exclusively install apps from reputable sources and carefully review application ratings and permissions before downloading.
