Cybersecurity researchers have found a beforehand undocumented malware concentrating on Android gadgets that makes use of compromised WordPress websites as relays for its precise command-and-control (C2) servers for detection evasion.
The malware, codenamed Wpeeper, is an ELF binary that leverages the HTTPS protocol to safe its C2 communications.
“Wpeeper is a typical backdoor Trojan for Android systems, supporting functions such as collecting sensitive device information, managing files and directories, uploading and downloading, and executing commands,” researchers from the QiAnXin XLab group stated.
The ELF binary is embedded inside a repackaged software that purports to be the UPtodown App Retailer app for Android (bundle identify “com.uptodown”), with the APK file appearing as a supply automobile for the backdoor in a way that evades detection.
The Chinese language cybersecurity agency stated it found the malware after it detected a Wpeeper artifact with zero detection on the VirusTotal platform on April 18, 2024. The marketing campaign is alleged to have come to an abrupt finish 4 days later.
Using the Uptodown App Retailer app for the marketing campaign signifies an try to cross off a official third-party app market and trick unsuspecting customers into putting in it. Based on stats on Android-apk.org, the trojanized model of the app (5.92) has been downloaded 2,609 instances so far.
Wpeeper depends on a multi-tier C2 structure that makes use of contaminated WordPress websites as an middleman to obscure its true C2 servers. As many as 45 C2 servers have been recognized as a part of the infrastructure, 9 of that are hard-coded into the samples and are used to replace the C2 checklist on the fly.
“These [hard-coded servers] are not C2s but C2 redirectors — their role is to forward the bot’s requests to the real C2, aimed at shielding the actual C2 from detection,” the researchers stated.
This has additionally raised the likelihood that among the hard-coded servers are straight beneath their management, since there’s a threat of shedding entry to the botnet ought to WordPress website directors get wind of the compromise and take steps to right it.
The instructions retrieved from the C2 server enable the malware to gather system and file info, checklist of put in apps, replace the C2 server, obtain and execute extra payloads from the C2 server or an arbitrary URL, and self-delete itself.
The precise objectives and scale of the marketing campaign are presently unknown, though it is suspected that the sneaky methodology might have been used to extend the set up numbers after which reveal the malware’s capabilities.
To mitigate the dangers posed by such malware, it is all the time suggested to put in apps solely from trusted sources, and scrutinize app opinions and permissions previous to downloading them.
