Now on Demand: Threat Detection and Incident Response (TDIR) Summit - All Sessions Available
Connect with us

Hi, what are you looking for?


Malware & Threats

Wpeeper Android Trojan Uses Compromised WordPress Sites to Shield Command-and-Control Server

The new Wpeeper Android trojan ceased operations after a week and has zero detections in VirusTotal.

Android security

Chinese cybersecurity firm QAX XLab has uncovered a new Android trojan that hides its true command-and-control (C&C) server behind a series of compromised WordPress sites.

Dubbed Wpeeper, the malware has the typical functionality of an Android trojan, such as information collection, file and directory management, file download and upload, and command execution.

However, the malware stands out due to its use of a multi-level C&C infrastructure, where hacked WordPress websites are used to redirect communication to the real C&C server.

Furthermore, QAX XLab says, the malware uses HTTPS for communication, encrypts commands and uses an elliptic signature to prevent their takeover, and uses the Session field to differentiate requests.

A sample of the trojan was initially uploaded to VirusTotal on April 17, but its activity abruptly ceased on April 22, when the malware received a command to delete itself.

In that timeframe, however, QAX XLab identified dozens of C&C domains associated with the threat, which was being distributed via repackaged applications in the third-party Android application store UPtodown Store, which served as downloaders.

“The final command, with function number 12, was to delete itself. Initially, we thought our command tracking had been exposed, but changing tracking IPs proved ineffective; subsequently, the downloader also ceased providing sample downloads. The entire campaign seemed to have been abruptly halted,” QAX XLab notes.

Because the APKs fetching Wpeeper were not flagged as malicious, the abrupt halt in activity could suggest that the threat actor may be waiting for the downloaders to gain more popularity before pushing the trojan to user devices again.

Advertisement. Scroll to continue reading.

According to QAX XLab, the malware has likely infected at least several thousands of devices, with the repackaged APKs continuing to be downloaded.

Before its abrupt disappearance, Wpeeper was seen using 45 C&C servers, most of which begin compromised WordPress sites acting as redirectors, forwarding bot requests, and hiding the real C&C.

The malware includes a list of hardcoded C&Cs, with at least one of them being a server operated by the attackers.

“The encryption, signature verification, C2 Redirectors, and other mechanisms employed by Wpeeper all reflect the creators’ professional proficiency. Even its current mysterious ‘silence’ could likely be part of their attack strategy, aiming to enter the AI learning sample set of antivirus software as a trusted entity,” QAX XLab said.

Related: Powerful ‘Brokewell’ Android Trojan Allows Attackers to Takeover Devices

Related: ‘Vultur’ Android Malware Gets Extensive Device Interaction Capabilities

Related: Anatsa Android Banking Trojan Continues to Spread via Google Play

Written By

Ionut Arghire is an international correspondent for SecurityWeek.


Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join the session as we discuss the challenges and best practices for cybersecurity leaders managing cloud identities.


SecurityWeek’s Ransomware Resilience and Recovery Summit helps businesses to plan, prepare, and recover from a ransomware incident.


People on the Move

Wendy Zheng named as CFO and Joe Diamond as CMO at cyber asset management firm Axonius.

Intelligent document processing company ABBYY has hired Clayton C. Peddy as CISO.

Digital executive protection services provider BlackCloak has appointed Ryan Black as CISO.

More People On The Move

Expert Insights