Wpeeper | |
Type of Malware | Backdoor |
Country of Origin | Unknown |
Date of initial activity | 2024 |
Motivation | Information theft |
Attack vectors | Unofficial app stores mimicking Uptodown App Store, infected email attachments, malicious online advertisements, social engineering, deceptive applications, scam websites. |
Targeted System | Android |
Overview
A new Android backdoor malware named ‘Wpeeper’ has been discovered in at least two unofficial app stores mimicking the Uptodown App Store, a popular third-party app store for Android devices with over 220 million downloads.
Wpeeper stands out for its novel use of compromised WordPress sites to act as relays for its actual command and control (C2) servers, acting as an evasion mechanism.
The Android malware was discovered on April 18, 2024, by QAX’s XLab team while examining a previously unknown ELF file embedded into APKs (Android package files), which had zero detections on VirusTotal.
The analysts report that the activity ceased abruptly on April 22, presumably as part of a strategic decision to maintain a low profile and evade detection by security professionals and automated systems.
Based on Google and Passive DNS data, XLab deduced that Wpeeper had already infected thousands of devices by the time of its discovery, but the actual scale of operations remains unknown.
Targets
Uptodown App Store Users
How they operate
Wpeeper operates by receiving commands from threat actors via a Command and Control (C2) server. Notably, Wpeeper uses compromised WordPress websites as a communication channel, which helps cybercriminals to obscure the true location of the control center. These compromised WordPress sites act like middlemen, making it more difficult to track down Wpeeper’s actual C2 servers.
Any commands sent from the C2 to the bots are forwarded via these sites and are additionally AES encrypted and signed by an elliptic curve signature to prevent takeover by unauthorized third parties. Wpeeper can dynamically update its C2 servers through the reception of a related command, so if a WordPress site is cleaned, new relaying points on different sites can be sent out to the botnet.
Using multiple compromised sites across different hosts and locations adds resilience to the C2 mechanism, making it hard to shut down the operation or even disrupt the data exchange on a single infected Android device.
Malware Capabilities
Wpeeper’s primary functionality revolves around stealing data, facilitated by its extensive set of commands featuring 13 distinct functions. The supported commands in the backdoor malware are:
Retrieve detailed information about the infected device, such as hardware specifications and operating system details.
Gather a list of all installed applications on the device.
Receive new C2 server addresses to update the bot’s list of command sources.
Adjust the frequency of communication with the C2 server.
Receive a new public key for verifying command signatures.
Download arbitrary files from the C2 server.
Retrieve information about specific files stored on the device.
Gather information about specific directories on the device.
Run commands in the device’s shell.
Download a file and execute it.
Update the malware and execute a file.
Delete the malware from the device.
Download a file from a specified URL and execute it.
Since the operators of Wpeeper and the campaign’s motives are unknown, it’s unclear how the stolen data is used. Potential risks include account hijacking, network infiltration, intelligence collection, identity theft, and financial fraud.
To avoid risks like Wpeeper, it is recommended that you only install applications from Android’s official app store, Google Play, and ensure that the OS’s built-in anti-malware tool, Play Protect, is active on your device.