Father
Professional
- Messages
- 2,602
- Reaction score
- 854
- Points
- 113
The popular app store has become a tool for secretive cybercriminals.
QAXLAB specialists have identified a new type of malware for Android-the Wpeeper backdoor, which is distributed via APKs from unofficial app stores disguised as the popular alternative Uptodown store with more than 220 million downloads.
Wkeeper is notable for its unusual tactic of using infected WordPress sites as intermediate relays for C2 servers, which is a mechanism for evading detection.
According to Google and Passive DNS, Wpeeper had already infected thousands of devices by the time it was discovered, but the actual scale of operations remains unknown. The malware was detected on April 18, and on April 22, the activity suddenly stopped, presumably as part of a strategic decision to maintain restraint and avoid detection by specialists and automated systems.
Technical side of the virus
The virus uses a complex system of communication with C2 servers through infected WordPress sites that act as repeaters, which makes it difficult to track real management servers. Commands sent to infected devices are encrypted and signed using elliptical curves, which prevents them from being intercepted.
The main functionality of Wpeeper includes stealing data from the device using a set of 13 different commands that allow, among other things, to extract detailed information about the infected device, manage the list of applications, download and execute files, update or delete malware.
Security measures
The Wpeeper operators and their motives remain unknown, but potential risks include account hijacking, network penetration, intelligence gathering, identity theft, and financial fraud.
To minimize the risks associated with such threats, we recommend installing apps only from the official Google Play store and activating the built-in Play Protect anti-malware tool.
QAXLAB specialists have identified a new type of malware for Android-the Wpeeper backdoor, which is distributed via APKs from unofficial app stores disguised as the popular alternative Uptodown store with more than 220 million downloads.
Wkeeper is notable for its unusual tactic of using infected WordPress sites as intermediate relays for C2 servers, which is a mechanism for evading detection.
According to Google and Passive DNS, Wpeeper had already infected thousands of devices by the time it was discovered, but the actual scale of operations remains unknown. The malware was detected on April 18, and on April 22, the activity suddenly stopped, presumably as part of a strategic decision to maintain restraint and avoid detection by specialists and automated systems.
Technical side of the virus
The virus uses a complex system of communication with C2 servers through infected WordPress sites that act as repeaters, which makes it difficult to track real management servers. Commands sent to infected devices are encrypted and signed using elliptical curves, which prevents them from being intercepted.
The main functionality of Wpeeper includes stealing data from the device using a set of 13 different commands that allow, among other things, to extract detailed information about the infected device, manage the list of applications, download and execute files, update or delete malware.
Security measures
The Wpeeper operators and their motives remain unknown, but potential risks include account hijacking, network penetration, intelligence gathering, identity theft, and financial fraud.
To minimize the risks associated with such threats, we recommend installing apps only from the official Google Play store and activating the built-in Play Protect anti-malware tool.
