New Wpeeper Android malware hides behind hacked WordPress sites

Uncovering ‘Wpeeper’: The New Android Malware

In the ever-evolving landscape of cybersecurity threats, a new Android backdoor malware, dubbed ‘Wpeeper’, has emerged. This malicious software was recently identified masquerading as legitimate applications within two unofficial app stores, deceptively resembling the reputable Uptodown App Store, which boasts over 220 million downloads.

What sets Wpeeper apart is its innovative exploitation of compromised WordPress websites. These sites serve as intermediaries, relaying instructions to and from the malware’s true command and control (C2) servers. This tactic is designed to help the malware evade detection by disguising its digital footprint.

Wpeeper’s existence came to light on April 18, 2024, when the vigilant eyes of QAX’s XLab team stumbled upon an unfamiliar ELF file nestled within Android package files (APKs). These files had managed to slip under the radar with zero detections on Virus Total, a renowned online service for analyzing and detecting viruses and malware.

An analysts report indicates that the malware’s activity halted suddenly on April 22. This cessation of operations is thought to be a deliberate move by the perpetrators to keep a low profile and avoid attracting the attention of cybersecurity experts and automated defense systems.

Despite the abrupt end to its known activity, XLab’s research, supported by data from Google and Passive DNS, suggests that Wpeeper had already compromised thousands of devices. However, the full extent of its reach remains shrouded in mystery.

Abusing WordPress as a C2

The architecture of Wpeeper’s C2 communication system is ingeniously crafted, utilizing compromised WordPress sites as stepping stones to conceal the true locations of its C2 servers. This method adds a layer of complexity to the task of tracking the malware’s operations.

Commands dispatched from the C2 to the infected devices are not only routed through these WordPress sites but are also fortified with AES encryption and secured with elliptic curve signatures. This ensures that only authorized entities can control the malware’s actions.

Wpeeper exhibits adaptability by being able to update its C2 server information on-the-fly. Should a WordPress site be sanitized, the malware is capable of receiving new relay points from its controllers, thus maintaining its nefarious network.

The utilization of a multitude of compromised sites, scattered across various hosts and geographical locations, grants durability to Wpeeper’s C2 infrastructure. Such a setup poses significant challenges for cybersecurity teams attempting to dismantle the operation or interrupt the malware’s communication with a single infected device.

Malware capabilities

At its core, Wpeeper is designed to pilfer data from its victims. It is equipped with a suite of 13 distinct commands, each enabling a different form of data extraction or manipulation:

1. Acquiring comprehensive details about the infected device, including hardware and operating system specifications.
2. Compiling a list of all applications installed on the device.
3. Receiving updates for new C2 server addresses.
4. Modifying the frequency of communication with the C2 server.
5. Obtaining a new public key for authenticating command signatures.
6. Downloading files from the C2 server.
7. Extracting information about specific files on the device.
8. Collecting data about certain directories on the device.
9. Executing shell commands on the device.
10. Downloading and executing a file.
11. Updating the malware and executing a file.
12. Removing the malware from the device.
13. Downloading and executing a file from a specified URL.

The true intentions behind Wpeeper and the identity of its operators remain enigmatic. The potential misuse of the stolen data is a cause for concern, with possibilities ranging from account takeovers and network breaches to espionage, identity theft, and financial fraud.

To safeguard against threats like Wpeeper, it is strongly advised to download applications exclusively from the official Google Play Store and to keep the operating system’s integrated anti-malware feature, Play Protect, activated on your Android device.