HQ/EMEAFind out how we can help your business
A new Android malware called Wpeeper has been identified in hacked WordPress websites. Moreover, researchers have also spotted the malware in at least two unofficial software repositories that imitate the Uptodown Software Store, a well-known third-party platform for Android apps with over 220 million downloads.
This new malware has caught the attention of various researchers since it has a novel technique of using hijacked WordPress sites as middlemen for its actual command-and-control servers that serve as an evasion tactic.
A research team discovered the campaign earlier last month. Currently, the malware is classified as a newly discovered malicious entity as the researchers have examined its unknown ELF file hidden in APKs (Android package files) that had received no detections on VirusTotal.
However, the researchers have also emphasised that the operation immediately stopped on April 22, proving that its operators want to keep a low profile. These experts claim that the attackers remained unknown to avoid the researchers reverse-engineering their malware capabilities.
Still, recent reports stated that Wpeeper had already infected thousands of devices at the time of detection, while the entire extent of its operations is unknown.
Hacked WordPress websites become a haven for the Wpeeper malware.
According to investigations, the Wpeeper malware has a unique C2 communication framework that can hide the proper location and identity of its C2 servers using hacked WordPress sites and intermediary relays.
The threat actors send commands from the C2 to the bots through these hijacked sites. They have also reinforced their malware’s defence mechanism by securing it with AES encryption and elliptic curve signature to prevent unwanted access.
In addition, Wpeeper can dynamically update its command-and-control servers in response to a given command, allowing for deploying new prompts once a WordPress site is cleansed.
The primary function of this malware is data theft, which is enabled by various commands. The backdoor software supports instructions such as getting detailed device information, gathering installed app lists, receiving updated C2 server addresses, modifying communication frequency, and more.
The motivations of the Wpeeper malware operators are still unknown, and the use of stolen data is uncertain. Still, the malware could execute malicious operations, such as account breaches, network penetration, intelligence collection, identity theft, and financial fraud.
