New Wpeeper Android malware hides behind hacked WordPress sites

A new Android backdoor malware named ‘Wpeeper’ has been spotted in at least two unofficial app stores mimicking the Uptodown App Store, a popular third-party app store for Android devices with over 220 million downloads.

Wpeeper stands out for its novel use of compromised WordPress sites to act as relays for its actual command and control (C2) servers, acting as an evasion mechanism.

The Android malware was discovered on April 18, 2024, by QAX’s XLab team while examining a previously unknown ELF file embedded into APKs (Android package files), which had zero detections on Virus Total.

The analysts report that the activity ceased abruptly on April 22, presumably as part of a strategic decision to maintain a low profile and evade detection by security professionals and automated systems.

Based on Google and Passive DNS data, XLab deduced that Wpeeper had already infected thousands of devices by the time of its discovery, but the actual scale of operations remains unknown.

The malicious APK on a third-party app store
The malicious APK on a third-party app store
Source: XLab

Abusing WordPress as a C2

Wpeeper’s novel C2 communication system is structured to leverage compromised WordPress sites and intermediate relay points, obscuring the location and identity of its actual C2 servers.

Any commands sent from the C2 to the bots are forwarded via those sites, and they are additionally AES encrypted and signed by an elliptic curve signature to prevent takeover by unauthorized third parties.

Hardcoded C2 addresses
Hardcoded C2 addresses
Source: XLab

Wpeeper can update its C2 servers dynamically through the reception of a related command, so if a WordPress site is cleaned, new relaying points on different sites can be sent out to the botnet.

Using multiple compromised sites across different hosts and locations adds resilience to the C2 mechanism, making it hard to shut down the operation or even disrupt the data exchange on a single infected Android device.

Malware capabilities

Wpeeper’s primary functionality revolves around stealing data, facilitated by its extensive set of commands featuring 13 distinct functions.

The supported commands in the backdoor malware are:

  1. Retrieve detailed information about the infected device, such as hardware specifications and operating system details
  2. Gather a list of all installed applications on the device
  3. Receive new C2 server addresses to update the bot’s list of command sources
  4. Adjust the frequency of communication with the C2 server
  5. Receive a new public key for verifying command signatures
  6. Download arbitrary files from the C2 server
  7. Retrieve information about specific files stored on the device
  8. Gather information about specific directories on the device
  9. Run commands in the device’s shell
  10. Download a file and execute it
  11. Update the malware and execute a file
  12. Delete the malware from the device
  13. Download a file from a specified URL and execute it

Since the operators of Wpeeper and the campaign’s motives are unknown, it’s not clear how the stolen data is used, but potential risks include account hijacking, network infiltration, intelligence collection, identity theft, and financial fraud.

To avoid risks like Wpeeper, it is recommended that you only install applications from Android’s official app store, Google Play, and ensure that the OS’s built-in anti-malware tool, Play Protect, is active on your device.