Cybersecurity researchers have found a beforehand undocumented malware concentrating on Android units that makes use of compromised WordPress websites as relays for its precise command-and-control (C2) servers for detection evasion.
The malware, codenamed Wpeeper, is an ELF binary that leverages the HTTPS protocol to safe its C2 communications.
“Wpeeper is a typical backdoor Trojan for Android programs, supporting features akin to gathering delicate gadget data, managing information and directories, importing and downloading, and executing instructions,” researchers from the QiAnXin XLab staff stated.
The ELF binary is embedded inside a repackaged software that purports to be the UPtodown App Retailer app for Android (package deal title “com.uptodown”), with the APK file appearing as a supply car for the backdoor in a way that evades detection.
The Chinese language cybersecurity agency stated it found the malware after it detected a Wpeeper artifact with zero detection on the VirusTotal platform on April 18, 2024. The marketing campaign is alleged to have come to an abrupt finish 4 days later.
Using the Uptodown App Retailer app for the marketing campaign signifies an try to move off a reputable third-party app market and trick unsuspecting customers into putting in it. In line with stats on Android-apk.org, the trojanized model of the app (5.92) has been downloaded 2,609 occasions so far.
Wpeeper depends on a multi-tier C2 structure that makes use of contaminated WordPress websites as an middleman to obscure its true C2 servers. As many as 45 C2 servers have been recognized as a part of the infrastructure, 9 of that are hard-coded into the samples and are used to replace the C2 listing on the fly.
“These [hard-coded servers] should not C2s however C2 redirectors — their position is to ahead the bot’s requests to the actual C2, aimed toward shielding the precise C2 from detection,” the researchers stated.
This has additionally raised the likelihood that among the hard-coded servers are straight beneath their management, since there’s a threat of shedding entry to the botnet ought to WordPress web site directors get wind of the compromise and take steps to appropriate it.
The instructions retrieved from the C2 server permit the malware to gather gadget and file data, listing of put in apps, replace the C2 server, obtain and execute extra payloads from the C2 server or an arbitrary URL, and self-delete itself.
The precise targets and scale of the marketing campaign are presently unknown, though it is suspected that the sneaky technique could have been used to extend the set up numbers after which reveal the malware’s capabilities.
To mitigate the dangers posed by such malware, it is at all times suggested to put in apps solely from trusted sources, and scrutinize app critiques and permissions previous to downloading them.
