Cybersecurity researchers have found a beforehand undocumented malware concentrating on Android units that makes use of compromised WordPress websites as relays for its precise command-and-control (C2) servers for detection evasion.
The malware, codenamed Wpeeper, is an ELF binary that leverages the HTTPS protocol to safe its C2 communications.
“Wpeeper is a typical backdoor Trojan for Android programs, supporting features comparable to gathering delicate machine info, managing recordsdata and directories, importing and downloading, and executing instructions,” researchers from the QiAnXin XLab group mentioned.
The ELF binary is embedded inside a repackaged software that purports to be the UPtodown App Retailer app for Android (package deal identify “com.uptodown”), with the APK file appearing as a supply automobile for the backdoor in a way that evades detection.
The Chinese language cybersecurity agency mentioned it found the malware after it detected a Wpeeper artifact with zero detection on the VirusTotal platform on April 18, 2024. The marketing campaign is claimed to have come to an abrupt finish 4 days later.
Using the Uptodown App Retailer app for the marketing campaign signifies an try to go off a reputable third-party app market and trick unsuspecting customers into putting in it. Based on stats on Android-apk.org, the trojanized model of the app (5.92) has been downloaded 2,609 occasions up to now.
Wpeeper depends on a multi-tier C2 structure that makes use of contaminated WordPress websites as an middleman to obscure its true C2 servers. As many as 45 C2 servers have been recognized as a part of the infrastructure, 9 of that are hard-coded into the samples and are used to replace the C2 checklist on the fly.
“These [hard-coded servers] are usually not C2s however C2 redirectors — their position is to ahead the bot’s requests to the actual C2, geared toward shielding the precise C2 from detection,” the researchers mentioned.
This has additionally raised the likelihood that a few of the hard-coded servers are straight beneath their management, since there’s a danger of dropping entry to the botnet ought to WordPress web site directors get wind of the compromise and take steps to right it.
The instructions retrieved from the C2 server permit the malware to gather machine and file info, checklist of put in apps, replace the C2 server, obtain and execute extra payloads from the C2 server or an arbitrary URL, and self-delete itself.
The precise objectives and scale of the marketing campaign are presently unknown, though it is suspected that the sneaky methodology might have been used to extend the set up numbers after which reveal the malware’s capabilities.
To mitigate the dangers posed by such malware, it is at all times suggested to put in apps solely from trusted sources, and scrutinize app opinions and permissions previous to downloading them.