Beware of New Android Trojan That Executes Malicious Commands

Cybersecurity researchers at XLab have uncovered a new Android malware strain called “Wpeeper.”

This sophisticated backdoor Trojan has been designed to infiltrate Android systems and execute a wide range of malicious commands, posing a significant threat to unsuspecting users.

The malware is being distributed through repackaged applications on the UPtodown app store, a popular third-party platform similar to Google Play.

By embedding a small code snippet into regular APKs, the attackers have managed to bypass antivirus detection.

The malware’s network operations are equally sophisticated, featuring a multi-level command-and-control (C2) architecture that relies on compromised WordPress sites as relay servers.

Is Your Network Under Attack? – Read CISO’s Guide to Avoiding the Next Breach – Download Free Guide

This approach effectively conceals the true C2 server, making it more challenging for security researchers and authorities to track and disrupt the operation.

Wpeeper is a typical backdoor Trojan for Android systems, supporting many malicious functions.

These include collecting sensitive device information, managing files and directories, uploading and downloading data, and executing arbitrary commands on the infected device.

The most notable feature of Wpeeper is its use of encryption and digital signatures to protect its network traffic and commands.

All communications between the malware and the C2 servers are encrypted using AES, and an elliptic curve signature accompanies the commands to prevent unauthorized takeover or tampering.

Researchers at XLab have been closely monitoring Wpeeper’s activities and observed an abrupt halt in the campaign on April 22.

Are you from SOC, Threat Research, or DFIR departments? If so, you can join an online community of 400,000 independent security researchers:

If you want to test all these features now with completely free access to the sandbox:

The C2 servers and downloaders suddenly stopped providing services, leading the researchers to suspect that this could be part of a larger strategic move by the attackers.

One possible explanation is that the attackers may have intentionally stopped the network activity to allow the repackaged APKs to maintain their “innocent” status in the eyes of antivirus software.

This could enable the malware to increase its installation numbers and reveal its true capabilities later, potentially catching security teams off guard.

While XLab does not have direct data on the Wpeeper distribution scale, their analysis of Google and Passive DNS (PDNS) results suggests that the infection is at the thousand level without widespread propagation.

However, the researchers emphasize that the threat remains ongoing, as the relevant samples continue to evade detection by security firms.wpeeper_google.png

The researchers have thoroughly analyzed Wpeeper’s functionality, shedding light on its inner workings.

The first is by decoding the embedded C2 servers within the malware sample, while the second is by reading and decrypting the “store.lock” file, which contains additional C2 server information and other configuration data.

Wpeeper employs the libcurl library to construct POST requests for communicating with the C2 servers.

The malware uses the Cookie and Session fields in the HTTP headers to differentiate between different types of requests, such as beacons, command requests, and result uploads.

Wpeeper supports 13 different commands, ranging from collecting device information and package lists to downloading and executing arbitrary files.

The researchers have provided detailed information on the various commands and their corresponding functionalities.

Through their command tracking and analysis, the researchers have gained valuable insights into the attackers’ tactics and the overall structure of the Wpeeper operation.

The researchers have identified 45 C2 servers used by Wpeeper, most of which are compromised WordPress sites serving as C2 redirectors.

This multi-layered approach helps shield the true C2 server from detection while also introducing potential reliability issues if the compromised sites are discovered and taken down.

Among the nine hardcoded C2 servers, the researchers believe that one, tartarcusp.com, is likely owned by the attackers themselves, providing an additional layer of control and resilience to the operation.

The researchers at XLab have provided a comprehensive overview of the Wpeeper Android Trojan, highlighting its sophisticated design, extensive capabilities, and the potential larger scheme behind the attackers’ actions.

They emphasize the ongoing nature of the threat and invite peers with unique perspectives and administrators of affected websites to provide further clues and insights.

As the cybersecurity landscape continues to evolve, users, security professionals, and researchers must remain vigilant and collaborate in the fight against emerging threats like Wpeeper.

By sharing information and working together, the security community can better protect Android users from the dangers posed by this sophisticated malware.

Combat Sophisticated Email Threats With AI-Powered Email Security Tool -> Try Free Demo