Android Malware Wpeeper Utilizes Compromised WordPress Sites To Conceal C2 Servers

Android Malware Wpeeper Utilizes Compromised WordPress Sites To Conceal C2 Servers

Published on May 9th, 2024

Cybersecurity analysts have unearthed a previously undisclosed strain of malware targeting Android devices, utilizing compromised WordPress sites as intermediaries for its command-and-control (C2) servers to evade detection.

Named Wpeeper, this malware operates as an ELF binary and employs the HTTPS protocol to encrypt its C2 communications.

According to researchers at the QiAnXin XLab team, Wpeeper functions as a typical backdoor Trojan for Android systems.

It encompasses various functionalities such as gathering sensitive device data, managing files and directories, transferring files to and from the device, and executing commands remotely.

The ELF binary is concealed within a repackaged application masquerading as the UPtodown App Store app for Android (package name “com.uptodown”).

The APK file, acting as a delivery mechanism for the backdoor, effectively bypasses detection measures.

The Chinese cybersecurity firm stumbled upon this malware after spotting a Wpeeper artifact with zero detection on the VirusTotal platform on April 18, 2024. However, the campaign abruptly ceased four days later.

The choice of utilizing the Uptodown App Store app for the campaign hints at an endeavor to camouflage the malicious activity under the guise of a legitimate third-party app marketplace, luring unsuspecting users into its trap.

Records from reveal that the trojanized version of the app (5.92) has been downloaded 2,609 times so far.

Wpeeper operates on a multi-tier C2 architecture employing infected WordPress sites as intermediaries to obfuscate the actual C2 servers.

The infrastructure comprises 45 C2 servers, with nine of them hardcoded into the samples to dynamically update the C2 list.

“These hardcoded servers act as C2 redirectors, forwarding the bot’s requests to the actual C2 to shield it from detection,” elucidated the researchers.

This setup also raises concerns regarding potential control over some of the hardcoded servers, posing a risk of losing access to the botnet if WordPress site administrators identify the compromise and intervene.

Commands fetched from the C2 server grant the malware the ability to gather device and file information, list installed applications, update the C2 server, download and execute additional payloads from the C2 server or a specified URL, and self-terminate.

The specific objectives and scale of the campaign remain undisclosed. However, there are suspicions that this stealthy approach might have been adopted to inflate installation figures initially and subsequently unveil the malware’s capabilities.

To mitigate the threats posed by such malware, it is advisable to exclusively download apps from reputable sources, and carefully scrutinize app reviews and permissions before installation.


Following the dissemination of the report, a Google representative issued a statement affirming that no apps harboring this malware were found on Google Play.

Android users are shielded against known versions of this malware by default through Google Play Protect, which can alert or block apps exhibiting malicious behavior, even if sourced from outside the Play Store.