Cybersecurity researchers have found a beforehand undocumented malware focusing on Android units that makes use of compromised WordPress websites as relays for its precise command-and-control (C2) servers for detection evasion.
The malware, codenamed Wpeeper, is an ELF binary that leverages the HTTPS protocol to safe its C2 communications.
“Wpeeper is a typical backdoor Trojan for Android programs, supporting features akin to accumulating delicate machine data, managing information and directories, importing and downloading, and executing instructions,” researchers from the QiAnXin XLab group mentioned.
The ELF binary is embedded inside a repackaged utility that purports to be the UPtodown App Retailer app for Android (package deal identify “com.uptodown”), with the APK file appearing as a supply car for the backdoor in a fashion that evades detection.
The Chinese language cybersecurity agency mentioned it found the malware after it detected a Wpeeper artifact with zero detection on the VirusTotal platform on April 18, 2024. The marketing campaign is alleged to have come to an abrupt finish 4 days later.
Using the Uptodown App Retailer app for the marketing campaign signifies an try to move off a professional third-party app market and trick unsuspecting customers into putting in it. In accordance with stats on Android-apk.org, the trojanized model of the app (5.92) has been downloaded 2,609 occasions so far.
Wpeeper depends on a multi-tier C2 structure that makes use of contaminated WordPress websites as an middleman to obscure its true C2 servers. As many as 45 C2 servers have been recognized as a part of the infrastructure, 9 of that are hard-coded into the samples and are used to replace the C2 checklist on the fly.
“These [hard-coded servers] will not be C2s however C2 redirectors — their function is to ahead the bot’s requests to the true C2, aimed toward shielding the precise C2 from detection,” the researchers mentioned.
This has additionally raised the chance that a few of the hard-coded servers are straight underneath their management, since there’s a threat of dropping entry to the botnet ought to WordPress web site directors get wind of the compromise and take steps to appropriate it.
The instructions retrieved from the C2 server permit the malware to gather machine and file data, checklist of put in apps, replace the C2 server, obtain and execute further payloads from the C2 server or an arbitrary URL, and self-delete itself.
The precise objectives and scale of the marketing campaign are presently unknown, though it is suspected that the sneaky technique might have been used to extend the set up numbers after which reveal the malware’s capabilities.
To mitigate the dangers posed by such malware, it is at all times suggested to put in apps solely from trusted sources, and scrutinize app critiques and permissions previous to downloading them.
