Android Malware Wpeeper Uses Compromised WordPress Sites to Hide C2 Servers


Cybersecurity researchers have discovered a previously undocumented malware targeting Android devices that utilizes compromised WordPress sites as relays for its actual command-and-control (C2) servers as a defense evasion technique. The malware, Wpeeper, uses an ELF binary that leverages HTTPS to secure communications to the C2 server. Wpeeper is a Remote Access Trojan made for Android devices and its capabilities include harvesting sensitive information, manipulating files and directories, loading additional malware, and executing arbitrary commands. The ELF binary is embedded in a repackaged application disguised as the UPtodown App Store app which acts as a delivery vehicle for this malicious backdoor and helps the malware remain undetected by Google Play Store security. The cybersecurity firm QiAnXin XLab first discovered the malware on April 18, 2024, when it detected a Wpeeper artifact that was undetected on VirusTotal and the malware campaign abruptly ended 4 days later. Wpeeper relies on a multi-tier C2 architecture that uses infected WordPress sites as an intermediary to obscure its true C2 servers and shield them from detection. As many as 45 C2 servers have been identified as part of the infrastructure, nine of which are hard-coded into the samples and are used to update the C2 list instantly. The commands retrieved from the C2 server allow the malware to collect device and file information, list of installed apps, update the C2 server, download and execute additional payloads from the C2 server or an arbitrary URL, and self-delete itself.

Security Officer Comments:
This campaign utilizes the Uptodown App Store in an attempt to trick users into installing malware by masquerading it as the legitimate third-party app marketplace application. It has been downloaded over 2,600 times to date. It is likely some of the hard-coded C2 servers are under the direct control of the attacker to have a contingency that maintains access to the botnet if WordPress administrators were to ever fix the site compromised by the threat actor. The encryption, signature verification, C2 Redirectors, and other mechanisms employed by Wpeeper are evidence of the proficiency of this threat actor. The lack of activity following the 4-day campaign could be a strategy meant to help the malware sneak past antivirus software by being learned by AI as normal behavior. Although the exact goals of this campaign are undetermined, the threat actor added extra sophistication to their techniques likely to make the file signature appear normal to detection software and propagate the malware as much as possible.

Suggested Corrections:
To mitigate the risks posed by such malware, it's always advised to install apps only from trusted sources and scrutinize app reviews and permissions before downloading them.

General Mobile Phone Suggested Correctionss:

  • Keep your software updated. Only 20 percent of Android devices are running the newest version and only 2.3 percent are on the latest release. Everything from your operating system to your social network apps are potential gateways for hackers to compromise your mobile device. Keeping software up to date ensures the best protection against most mobile security threats.
  • Choose mobile security. Just like computers, your mobile devices also need internet security. Make sure to select mobile security software from a trusted provider and keep it up to date.
  • Install a firewall. Most mobile phones do not come with any kind of firewall protection. Installing a firewall provides you with much stronger protection against digital threats and allows you to safeguard your online privacy.
  • Always read the end-user agreement. Before installing an app, read the fine print. Grayware purveyors rely on you not reading their terms of service and allowing their malicious software onto your device.

QiAnXin XLab has published IOCs for this campaign in their blog post.