Android Malware Wpeeper Exploits Compromised WordPress Sites to Hide C2 Servers

Security researchers have uncovered a new Android malware variant, dubbed Wpeeper, which employs compromised WordPress sites as intermediaries for its actual command-and-control (C2) servers to evade detection.

Wpeeper, an ELF binary, uses the HTTPS protocol to secure its C2 communications. According to the report, Wpeeper functions as a backdoor Trojan for Android devices, capable of collecting sensitive device information, managing files, uploading and downloading content, and executing commands.

The malware is distributed within a repackaged application posing as the UPtodown App Store app for Android (package name “com.uptodown”), with the APK file serving as the delivery mechanism for the backdoor, allowing it to evade detection.

The researcher discovered the malware after detecting a Wpeeper artifact with zero detection on the VirusTotal platform on April 18, 2024, with the campaign abruptly ending four days later.

The choice of using the Uptodown App Store app for the campaign suggests an attempt to disguise the malicious nature of the app and deceive unsuspecting users into installing it. Statistics indicate that the trojanized version of the app (5.92) has been downloaded 2,609 times to date.

Wpeeper employs a multi-tier C2 architecture, utilizing compromised WordPress sites as intermediaries to obfuscate its true C2 servers. The infrastructure includes 45 C2 servers, nine of which are hard-coded into the samples and are used to update the C2 list dynamically.

“These [hard-coded servers] are not C2s but C2 redirectors — their role is to forward the bot’s requests to the real C2, aimed at shielding the actual C2 from detection,” explained the researchers.

This approach raises the possibility that some of the hard-coded servers are directly under the control of the attackers. Should WordPress site administrators discover the compromise and take corrective action, there is a risk of losing access to the botnet.

Commands retrieved from the C2 server enable the malware to gather device and file information, list installed apps, update the C2 server, download and execute additional payloads, and self-delete.

The exact objectives and scope of the campaign remain unknown. However, it is suspected that the covert method may have been used to boost installation numbers before revealing the malware’s capabilities.

To mitigate the risks posed by such malware, users are advised to install apps only from trusted sources and carefully review app reviews and permissions before downloading them.

To protect against Wpeeper, only download apps from trusted sources such as the Google Play Store. Keep your Android device’s operating system and apps updated to the latest versions. Be wary of suspicious links and attachments in emails or messages. Consider using a reputable mobile security app to scan for and remove malware from your device.