Analysis Summary

A previously unreported malware that targets Android devices has been found by cybersecurity experts. To avoid detection, the malware exploits hacked WordPress websites as relays for its real command-and-control (C2) servers. The malware, dubbed Wpeeper, is an ELF program that uses HTTPS to encrypt its C2 connections.

A common backdoor Trojan for Android systems, Wpeeper can perform tasks like gathering private device data, organizing files and folders, uploading and downloading, and carrying out orders. The APK file serves as a covert backdoor delivery mechanism for the ELF code, which is embedded in a repackaged application that seems to be the UPtodown App Store app for Android.

“Due to the minimal amount of added code, the modified APKs currently also show zero detections on VirusTotal,” said the researchers.

The campaign's use of the Uptodown App Store app suggests an attempt to pose as a trustworthy third-party app marketplace and fool gullible customers into downloading it. The trojanized version of the software has been downloaded 2,609 times as of right now, according to the statistics. Wpeeper conceals its real C2 servers using a multi-tier C2 architecture that employs compromised WordPress websites as a middleman. Nine of the 45 C2 servers that have been identified as being a component of the infrastructure are hard-coded into the samples and are utilized to dynamically update the C2 list.

These hard-coded servers are C2 redirectors rather than C2s; their function is to route the bot's queries to the genuine C2 to prevent the real C2 from being discovered. Since there is a chance that they could lose access to the botnet if WordPress site administrators discover the hack and take action to fix it, this has also raised the potential that some of the hard-coded servers are directly under their control.

The malware can gather data on devices and files, a list of installed applications, update the C2 server, download and run additional payloads from the C2 server or an arbitrary URL, and self-delete thanks to the directives it retrieves from the C2 server.

Although the campaign's precise objectives and scope are yet unknown, it is thought that the cunning tactic was employed to boost the number of installations before making the malware's capabilities apparent. It's always advisable to install apps from reputable sources and carefully check app ratings and permissions before downloading them to reduce the risks associated with this kind of threat.

Impact

• Sensitive Data Theft
• Security Bypass
• Unauthorized Access

Indicators of Compromise

MD5

• 003577a70748ab4ed18af5aecbd0b529

SHA-256

• 265f0cb83a59d5ab4fff8cb9619439c61f1b86680791485b1f83ef48a6c26741

SHA1

• 01aed0ac423d51b35bd0e6b36394d2002a0de99e

URL

Remediation

• Block all threat indicators at your respective controls.
• Search for indicators of compromise (IOCs) in your environment utilizing your respective security controls.
• Be vigilant when downloading software and double-check the URL to see if it is legitimate.
• Never download software from untrusted sources.
• Download apps only from official app stores like Google Play Store or Apple App Store. Avoid downloading apps from third-party websites or unofficial sources.
• Review the permissions requested by apps before installing them. Be cautious of apps that request unnecessary permissions or access to sensitive data.
• Do not download documents attached in emails from unknown sources and strictly refrain from enabling macros when the source isn’t reliable.
• Keep your operating system and apps up-to-date with the latest security patches and updates
• Enable antivirus and anti-malware software and update signature definitions on time. Using multi-layered protection is necessary to secure vulnerable assets.
• Along with network and system hardening, code hardening should be implemented within the organization so that their websites and software are secure. Use testing tools to detect any vulnerabilities in the deployed codes.
• Maintain cyber hygiene by updating your anti-virus software and implementing a patch management lifecycle.
• Be cautious of unsolicited messages, emails, or links, especially from unknown or suspicious sources. Avoid clicking on suspicious links or downloading attachments from untrusted sources.
• Patch and upgrade any platforms and software timely and make it into a standard security policy. Prioritize patching known exploited vulnerabilities and zero-days.
• Regularly backup your data to a secure location, such as a cloud storage service or external hard drive.
• Develop and regularly update an incident response plan that outlines the steps to take in case of a security breach. Test the plan through simulations to ensure its effectiveness.