Chinese cybersecurity firm QAX XLab has uncovered a new Android trojan that hides its true command-and-control (C&C) server behind a series of compromised WordPress sites.
Dubbed Wpeeper, the malware has the typical functionality of an Android trojan, such as information collection, file and directory management, file download and upload, and command execution.
However, the malware stands out due to its use of a multi-level C&C infrastructure, where hacked WordPress websites are used to redirect communication to the real C&C server.
Furthermore, QAX XLab says, the malware uses HTTPS for communication, encrypts commands and uses an elliptic signature to prevent their takeover, and uses the Session field to differentiate requests.
A sample of the trojan was initially uploaded to VirusTotal on April 17, but its activity abruptly ceased on April 22, when the malware received a command to delete itself.
In that timeframe, however, QAX XLab identified dozens of C&C domains associated with the threat, which was being distributed via repackaged applications in the third-party Android application store UPtodown Store, which served as downloaders.
“The final command, with function number 12, was to delete itself. Initially, we thought our command tracking had been exposed, but changing tracking IPs proved ineffective; subsequently, the downloader also ceased providing sample downloads. The entire campaign seemed to have been abruptly halted,” QAX XLab notes.
Because the APKs fetching Wpeeper were not flagged as malicious, the abrupt halt in activity could suggest that the threat actor may be waiting for the downloaders to gain more popularity before pushing the trojan to user devices again.
According to QAX XLab, the malware has likely infected at least several thousands of devices, with the repackaged APKs continuing to be downloaded.
Before its abrupt disappearance, Wpeeper was seen using 45 C&C servers, most of which begin compromised WordPress sites acting as redirectors, forwarding bot requests, and hiding the real C&C.
The malware includes a list of hardcoded C&Cs, with at least one of them being a server operated by the attackers.
“The encryption, signature verification, C2 Redirectors, and other mechanisms employed by Wpeeper all reflect the creators’ professional proficiency. Even its current mysterious ‘silence’ could likely be part of their attack strategy, aiming to enter the AI learning sample set of antivirus software as a trusted entity,” QAX XLab said.
Related: Powerful ‘Brokewell’ Android Trojan Allows Attackers to Takeover Devices
Related: ‘Vultur’ Android Malware Gets Extensive Device Interaction Capabilities
Related: Anatsa Android Banking Trojan Continues to Spread via Google Play