Researchers studying cybersecurity have uncovered a yet unreported malware that targets Android smartphones and evades detection by using hacked WordPress websites as relays for its real command-and-control (C2) servers.
Code-named Wpeeper, the malware is an ELF binary that uses HTTPS to encrypt its C2 communications.
“Wpeeper is a typical backdoor Trojan for Android systems, supporting functions such as collecting sensitive device information, managing files and directories, uploading and downloading, and executing commands,” the team of researchers at QiAnXin XLab stated
The APK file serves as a covert backdoor delivery mechanism for the ELF code, which is embedded in a repackaged application that seems to be the UPtodown App Store app for Android (package name “com.uptodown”).
The malware was found, according to the Chinese cybersecurity company, on April 18, 2024, when it found a Wpeeper artifact on the VirusTotal platform with 0% detection. Four days later, the campaign is claimed to have ended abruptly.
The campaign’s use of the Uptodown App Store app suggests an attempt to pose as a trustworthy third-party app marketplace and fool gullible customers into downloading it. The trojanized version of the software (5.92) has been downloaded 2,609 times as of right now, according to statistics on Android-apk.org.
Wpeeper conceals its real C2 servers using a multi-tier C2 architecture that employs compromised WordPress websites as a middleman. Nine of the 45 C2 servers that have been identified as being a component of the infrastructure are hard-coded into the samples and are utilized to dynamically update the C2 list.
“These [hard-coded servers] are not C2s but C2 redirectors — their role is to forward the bot’s requests to the real C2, aimed at shielding the actual C2 from detection,” the investigators stated.
Since there is a chance that they could lose access to the botnet in the event that WordPress site administrators discover the hack and take action to fix it, this has also raised the potential that some of the hard-coded servers are directly under their control.
The virus is able to gather data on devices and files, a list of installed applications, update the C2 server, download and run additional payloads from the C2 server or an arbitrary URL, and self-delete thanks to the directives it retrieves from the C2 server.
Although the campaign’s precise objectives and scope are yet unknown, it’s thought that the cunning tactic was employed to boost the number of installations before making the malware’s capabilities apparent.
It’s always advisable to install apps from reputable sources and carefully check app ratings and permissions before downloading them in order to reduce the risks associated with this kind of virus.