Menu

  • Alerts
  • Incidents
  • News
  • APTs
  • Cyber Decoded
  • Cyber Hygiene
  • Cyber Review
  • Cyber Tips
  • Definitions
  • Malware
  • Threat Actors
  • Tutorials

Useful Tools

  • Password generator
  • Report an incident
  • Report to authorities
No Result
View All Result
CTF Hack Havoc
CyberMaterial
  • Education
    • Cyber Decoded
    • Definitions
  • Information
    • Alerts
    • Incidents
    • News
  • Insights
    • Cyber Hygiene
    • Cyber Review
    • Tips
    • Tutorials
  • Support
    • Contact Us
    • Report an incident
  • About
    • About Us
    • Advertise with us
Get Help
Hall of Hacks
  • Education
    • Cyber Decoded
    • Definitions
  • Information
    • Alerts
    • Incidents
    • News
  • Insights
    • Cyber Hygiene
    • Cyber Review
    • Tips
    • Tutorials
  • Support
    • Contact Us
    • Report an incident
  • About
    • About Us
    • Advertise with us
Get Help
No Result
View All Result
Hall of Hacks
CyberMaterial
No Result
View All Result
Home Malware

Wpeeper (Backdoor) – Malware

June 26, 2024
Reading Time: 23 mins read
in Malware
Wpeeper (Backdoor) – Malware

Wpeeper

Type of Malware

Backdoor

Country of Origin

Unknown

Date of initial activity

2024

Motivation

Information theft

Attack vectors

Unofficial app stores mimicking Uptodown App Store, infected email attachments, malicious online advertisements, social engineering, deceptive applications, scam websites.

Targeted System

Android

Overview

A new Android backdoor malware named ‘Wpeeper’ has been discovered in at least two unofficial app stores mimicking the Uptodown App Store, a popular third-party app store for Android devices with over 220 million downloads. Wpeeper stands out for its novel use of compromised WordPress sites to act as relays for its actual command and control (C2) servers, acting as an evasion mechanism. The Android malware was discovered on April 18, 2024, by QAX’s XLab team while examining a previously unknown ELF file embedded into APKs (Android package files), which had zero detections on VirusTotal. The analysts report that the activity ceased abruptly on April 22, presumably as part of a strategic decision to maintain a low profile and evade detection by security professionals and automated systems. Based on Google and Passive DNS data, XLab deduced that Wpeeper had already infected thousands of devices by the time of its discovery, but the actual scale of operations remains unknown.

Targets

Uptodown App Store Users

How they operate

Wpeeper operates by receiving commands from threat actors via a Command and Control (C2) server. Notably, Wpeeper uses compromised WordPress websites as a communication channel, which helps cybercriminals to obscure the true location of the control center. These compromised WordPress sites act like middlemen, making it more difficult to track down Wpeeper’s actual C2 servers. Any commands sent from the C2 to the bots are forwarded via these sites and are additionally AES encrypted and signed by an elliptic curve signature to prevent takeover by unauthorized third parties. Wpeeper can dynamically update its C2 servers through the reception of a related command, so if a WordPress site is cleaned, new relaying points on different sites can be sent out to the botnet. Using multiple compromised sites across different hosts and locations adds resilience to the C2 mechanism, making it hard to shut down the operation or even disrupt the data exchange on a single infected Android device. Malware Capabilities Wpeeper’s primary functionality revolves around stealing data, facilitated by its extensive set of commands featuring 13 distinct functions. The supported commands in the backdoor malware are: Retrieve detailed information about the infected device, such as hardware specifications and operating system details. Gather a list of all installed applications on the device. Receive new C2 server addresses to update the bot’s list of command sources. Adjust the frequency of communication with the C2 server. Receive a new public key for verifying command signatures. Download arbitrary files from the C2 server. Retrieve information about specific files stored on the device. Gather information about specific directories on the device. Run commands in the device’s shell. Download a file and execute it. Update the malware and execute a file. Delete the malware from the device. Download a file from a specified URL and execute it. Since the operators of Wpeeper and the campaign’s motives are unknown, it’s unclear how the stolen data is used. Potential risks include account hijacking, network infiltration, intelligence collection, identity theft, and financial fraud. To avoid risks like Wpeeper, it is recommended that you only install applications from Android’s official app store, Google Play, and ensure that the OS’s built-in anti-malware tool, Play Protect, is active on your device.
References:
  • Playing Possum: What’s the Wpeeper Backdoor Up To?
Tags: AndroidAPKApp StoreBackdoorCommandCybercriminalsGoogle PlayMalwarePlay ProtectUptodown App StoreWordpressWpeeper
ADVERTISEMENT

Related Posts

Iranian Phishing Campaign (Scam) – Malware

Iranian Phishing Campaign (Scam) – Malware

March 2, 2025
Fake WalletConnect (Infostealer) – Malware

Fake WalletConnect (Infostealer) – Malware

March 2, 2025
SilentSelfie (Infostealer) – Malware

SilentSelfie (Infostealer) – Malware

March 2, 2025
Sniper Dz (Scam) – Malware

Sniper Dz (Scam) – Malware

March 2, 2025
TikTok Malware Scam (Trojan) – Malware

TikTok Malware Scam (Trojan) – Malware

March 2, 2025
Zombinder (Exploit Kit) – Malware

Zombinder (Exploit Kit) – Malware

March 2, 2025

Latest Alerts

New ZeroCrumb Malware Steals Browser Cookies

TikTok Videos Spread Vidar StealC Malware

CISA Commvault ZeroDay Flaw Risks Secrets

GitLab Patch Stops Service Disruption Risks

3AM Ransomware Email Bomb and Vishing Threat

Function Confusion Hits Serverless Clouds

Subscribe to our newsletter

    Latest Incidents

    Cetus Crypto Exchange Hacked For $223M

    MCP Data Breach Hits 235K NC Lab Patients

    UFCW Data Breach Risks Social Security Data

    Cyberattack Paralyzes French Hauts de Seine

    Santa Fe City Loses $324K In Hacker Scam

    Belgium Housing Hit by Ransomware Attack

    CyberMaterial Logo
    • About Us
    • Contact Us
    • Jobs
    • Legal and Privacy Policy
    • Site Map

    © 2025 | CyberMaterial | All rights reserved

    Welcome Back!

    Login to your account below

    Forgotten Password?

    Retrieve your password

    Please enter your username or email address to reset your password.

    Log In

    Add New Playlist

    No Result
    View All Result
    • Alerts
    • Incidents
    • News
    • Cyber Decoded
    • Cyber Hygiene
    • Cyber Review
    • Definitions
    • Malware
    • Cyber Tips
    • Tutorials
    • Advanced Persistent Threats
    • Threat Actors
    • Report an incident
    • Password Generator
    • About Us
    • Contact Us
    • Advertise with us

    Copyright © 2025 CyberMaterial