XLab researchers uncover “Wpeeper,” a new Android malware infiltrating systems to execute various malicious commands, posing a serious threat to users.
All about the new android trojan
Wpeeper’s distribution is cunning, spread through repackaged apps on UPtodown, a popular third-party store like Google Play. Attackers embed code into APKs, bypassing antivirus detection, resulting in zero detections on VirusTotal.
The malware’s network operations are highly sophisticated, utilizing a multi-level command-and-control (C2) architecture that depends on compromised WordPress sites as relay servers.
This method effectively hides the actual C2 server, increasing the difficulty for security researchers and authorities to trace and disrupt the operation.
Wpeeper, a typical backdoor Trojan for Android systems, supports various malicious functions, including gathering sensitive device data, file management, data uploading and downloading, and executing arbitrary commands.
Its standout feature is encryption and digital signatures safeguarding its network traffic and commands. AES encryption secures all communication between the malware and C2 servers, while elliptic curve signatures prevent unauthorized takeover or tampering with commands.
XLab researchers have been closely tracking Wpeeper’s actions and noticed a sudden cessation in the campaign on April 22nd.
The halt in C2 server and downloader activity raised suspicions among researchers, suggesting it might be a strategic move by the attackers. One theory is that they intentionally paused network activity to keep repackaged APKs undetected by antivirus software.
This tactic may allow the malware to boost its installation count and unveil its full capabilities later, potentially surprising security teams.
Although XLab lacks precise data on Wpeeper’s distribution scale, their analysis of Google and Passive DNS (PDNS) results indicates infections in the thousands without widespread propagation.
Yet, the researchers stress that the threat persists, with the pertinent samples consistently evading detection by security firms.
XLab researchers offer a thorough overview of the Wpeeper Android Trojan, showcasing its sophisticated design, wide-ranging capabilities, and potential broader scheme by the attackers.
They stress the ongoing threat and encourage peers and administrators of affected websites to share insights. In an evolving cybersecurity landscape, vigilance and collaboration among users, security professionals, and researchers are crucial in combating emerging threats such as Wpeeper.
IOCs
MD5
APK 3dab5a687ab46dbbd80189d727637542
ELF 003577a70748ab4ed18af5aecbd0b529
32e92509bc4a5e3eb2146fe119c45f55
Downloader
https://appflyer.co/downloads/latest/device/android/ https://dn.jnipatch.com/downloads/latest/device/android
C2 Redirectors
Hardcoded
https://tartarcusp.com/BZRAWE/
https://www.chasinglydie.com/7V5QT0/
https://www.civitize.com/0SA67H/
https://wyattotero.com/AQVLLY/
https://web.rtekno.com/5XPOS2/
https://dermocuidado.com/8QSCZP/
https://ocalacommercialconstruction.com/WXFHF6/
https://scatsexo.com/NVZ4L0/
https://snipsnack.com/T8Q2BN/New
https://4devsolutions.com/4NUAK1/
https://atba3li.com/Z99QQ6/
https://avsecretarial.com/PYWDEL/
https://barbeariadomarfim.com/BN2TTO/
https://beanblisscafe.com/MX1OAS/
https://carloadspry.com/SJI4C1/
https://carshringaraligarh.com/TBHH4O/
https://coexisthedge.com/ZF57OA/
https://dibplumber.com/LCN9UJ/
https://dodgeagonize.com/KJSLOT/
https://essentialelearning.com/EVSKOT/
https://focusframephoto.com/1J10V9/
https://fontshown.com/4D69BN/
https://gadeonclub.com/Q9DVGH/
https://hhfus.com/CUGCCO/
https://kiwisnowman.com/DC4O03/
https://masterlogisticsfzco.com/5CBSYC/
https://mrscanology.com/8GVHT3/
https://naroyaldiamonds.com/WZJ236/
https://nt-riccotech.com/Q4LQKN/
https://nutrivital-in.com/7DB9BC/
https://petintrip.com/QPNQSM/
https://qualitygoodsforconfectioners.com/3QLS47/
https://rastellimeeting.com/9Q4GOM/
https://schatzrestaurant.com/J2WMA6/
https://socktopiashop.com/4WYZ7I/
https://speedyrent-sa.com/AIOFB2/
https://stilesmcgraw.com/1WN2BH/
https://toubainfo.com/G1ACF0/
https://trashspringield.com/GYNH3A/
https://vaticanojoyas.com/R5Q7G4/
https://wendyllc.com/QD8490/
https://www.cureoscitystaging.com/YKUCU8/
https://www.elcomparadorseguros.com/A5FDX7/
https://www.francescocutrupi.com/WJYP89/
https://www.yitaichi.com/K7ODU6/
Leave A Comment