Wpeeper Android Backdoor Hides Behind Hacked Websites

Specialists at QAX XLab have identified a new type of Android malware—a backdoor named Wpeeper, which is disseminated through APK files from unofficial app stores posing as the popular alternative marketplace Uptodown.

Wpeeper is notable for its unique tactic of employing infected WordPress sites as intermediary relays for its C2 servers, a mechanism that serves to evade detection.

According to Google and Passive DNS, by the time Wpeeper was detected, it had already infected thousands of devices, but the true scale of its operations remains unknown. The malware was discovered on April 18, and its activity abruptly ceased on April 22, presumably as part of a strategic decision to maintain discretion and avoid detection by experts and automated systems.

New C2

The backdoor employs a sophisticated communication system with C2 servers via infected WordPress sites that act as relays, complicating the tracking of the true control servers. Commands transmitted to infected devices are encrypted and signed using elliptic curves, thwarting interception.

Wpeeper’s primary functionality includes stealing data from devices using a suite of 13 different commands that allow, among other things, extracting detailed information about the infected device, managing the application list, downloading and executing files, and updating or deleting malware.

The operators of Wpeeper and their motives remain unknown; however, potential risks include account hijacking, network penetration, intelligence gathering, identity theft, and financial fraud.

To minimize risks associated with such threats, it is advisable to install applications solely from the official Google Play Store and activate the built-in malware protection tool, Play Protect.