Cybersecurity scientists have uncovered a beforehand undocumented malware concentrating on Android devices that works by using compromised WordPress websites as relays for its actual command-and-manage (C2) servers for detection evasion.
The malware, codenamed Wpeeper, is an ELF binary that leverages the HTTPS protocol to safe its C2 communications.
“Wpeeper is a common backdoor Trojan for Android techniques, supporting functions such as amassing delicate gadget info, handling documents and directories, uploading and downloading, and executing commands,” researchers from the QiAnXin XLab group said.
The ELF binary is embedded in a repackaged software that purports to be the UPtodown Application Retailer app for Android (package deal name “com.uptodown”), with the APK file performing as a shipping vehicle for the backdoor in a way that evades detection.
The Chinese cybersecurity business said it uncovered the malware immediately after it detected a Wpeeper artifact with zero detection on the VirusTotal platform on April 18, 2024. The campaign is claimed to have appear to an abrupt stop four days later.
The use of the Uptodown Application Retail store application for the marketing campaign signifies an endeavor to go off a respectable 3rd-party application marketplace and trick unsuspecting consumers into setting up it. According to stats on Android-apk.org, the trojanized edition of the application (5.92) has been downloaded 2,609 situations to day.
Wpeeper relies on a multi-tier C2 architecture that takes advantage of contaminated WordPress web-sites as an middleman to obscure its legitimate C2 servers. As several as 45 C2 servers have been identified as aspect of the infrastructure, nine of which are difficult-coded into the samples and are applied to update the C2 list on the fly.
“These [hard-coded servers] are not C2s but C2 redirectors — their function is to forward the bot’s requests to the genuine C2, aimed at shielding the actual C2 from detection,” the scientists mentioned.
This has also lifted the probability that some of the tricky-coded servers are instantly underneath their management, because there is a risk of getting rid of entry to the botnet should really WordPress site directors get wind of the compromise and consider measures to suitable it.
The instructions retrieved from the C2 server let the malware to accumulate gadget and file data, checklist of mounted apps, update the C2 server, obtain and execute supplemental payloads from the C2 server or an arbitrary URL, and self-delete alone.
The precise objectives and scale of the marketing campaign are presently not known, even though it truly is suspected that the sneaky method might have been employed to boost the set up figures and then reveal the malware’s capabilities.
To mitigate the threats posed by this sort of malware, it truly is constantly recommended to put in apps only from trusted sources, and scrutinize application testimonials and permissions prior to downloading them.
Uncovered this posting intriguing? Adhere to us on Twitter and LinkedIn to study additional exclusive written content we article.
Some parts of this article are sourced from:
thehackernews.com