Cybersecurity researchers have discovered a previously undocumented malware targeting Android devices that uses compromised WordPress sites as relays for its actual command-and-control (C2) servers for detection evasion.
The malware, codenamed Wpeeper, is an ELF binary that leverages the HTTPS protocol to secure its C2 communications.
"Wpeeper is a typical backdoor Trojan for Android systems, supporting functions such as collecting sensitive device information, managing files and directories, uploading and downloading, and executing commands," researchers from the QiAnXin XLab team said.
The ELF binary is embedded within a repackaged application that purports to be the UPtodown App Store app for Android (package name "com.uptodown"), with the APK file acting as a delivery vehicle for the backdoor in a manner that evades detection.
The Chinese cybersecurity firm said it discovered the malware after it detected a Wpeeper artifact with zero detection on the VirusTotal platform on April 18, 2024. The campaign is said to have come to an abrupt end four days later.
The use of the Uptodown App Store app for the campaign indicates an attempt to pass off a legitimate third-party app marketplace and trick unsuspecting users into installing it. According to stats on Android-apk.org, the trojanized version of the app (5.92) has been downloaded 2,609 times to date.
Wpeeper relies on a multi-tier C2 architecture that uses infected WordPress sites as an intermediary to obscure its true C2 servers. As many as 45 C2 servers have been identified as part of the infrastructure, nine of which are hard-coded into the samples and are used to update the C2 list on the fly.
"These [hard-coded servers] are not C2s but C2 redirectors -- their role is to forward the bot's requests to the real C2, aimed at shielding the actual C2 from detection," the researchers said.
This has also raised the possibility that some of the hard-coded servers are directly under their control, since there is a risk of losing access to the botnet should WordPress site administrators get wind of the compromise and take steps to correct it.
The commands retrieved from the C2 server allow the malware to collect device and file information, list of installed apps, update the C2 server, download and execute additional payloads from the C2 server or an arbitrary URL, and self-delete itself.
The exact goals and scale of the campaign are presently unknown, although it's suspected that the sneaky method may have been used to increase the installation numbers and then reveal the malware's capabilities.
To mitigate the risks posed by such malware, it's always advised to install apps only from trusted sources, and scrutinize app reviews and permissions prior to downloading them.
Update
A Google spokesperson shared the below statement following the publication of the story -
Based on our current detection, no apps containing this malware are found on Google Play. Android users are automatically protected against known versions of this malware by Google Play Protect, which is on by default on Android devices with Google Play Services. Google Play Protect can warn users or block apps known to exhibit malicious behavior, even when those apps come from sources outside of Play.
