Wpeeper Mobile Malware Targets Android Devices

Researchers in cybersecurity have identified new malware that targets Android devices. This malware, named Wpeeper, was found to use compromised WordPress websites to mask its true command-and-control servers, making it difficult to detect.

Wpeeper is designed as an ELF binary and communicates over HTTPS to secure its command-and-control operations. According to the QiAnXin XLab team, Wpeeper acts as a backdoor Trojan, allowing attackers to gather device data, manage files, and execute various commands on infected devices.

Wpeeper Rides Inside a Modified Version of UPtodown

The malware is distributed through a repackaged version of the UPtodown App Store app (with package name "com.uptodown") for Android. This approach is used to evade detection, with the infected APK file serving as a carrier for the backdoor.

QiAnXin XLab discovered Wpeeper when they detected it on VirusTotal on April 18, 2024, with no prior detection. The campaign abruptly ceased four days later.

Wpeeper's command-and-control infrastructure involves using infected WordPress sites as intermediaries, with up to 45 command-and-control servers identified. Some of these servers act as redirectors, forwarding requests to the actual command-and-control servers to avoid detection.

The malware's capabilities include gathering device information, listing installed apps, updating its command-and-control server list, downloading additional payloads, and self-deleting.

Although the campaign's exact goals and scale remain unclear, the use of the Uptodown App Store app suggests an attempt to deceive users into downloading the malware. Google contacted news outlet The Hacker News and stated that no apps containing this malware are currently on Google Play, and Android devices with Google Play Protect are automatically safeguarded against malicious apps, even if they originate from locations different from the Google Play store.