Is This ‘Malicious’ Android Backdoor Stealing Your Data?
Don’t let this dangerous malware onto your phone
Somewhat unsurprisingly, the week we saw Google’s latest “bad app” report into the staggering volume of malware blocked from its Play Store, another warning about dangerous malware sourced from other places has also hit the headlines.
Dubbed Wpeeper, the team at China’s XLab that reported the threat warns this is “a typical backdoor Trojan for Android, supporting functions such as collecting sensitive device information, managing files and directories, uploading and downloading, and executing commands.” A fairly nasty menu of what not to have on your phone.
But the “most notable feature of Wpeeper” is not its functionality but rather its network design, “which reflect the meticulous efforts of its creators.”
Wpeeper hides its C2 behind comprised WordPress sites, obfuscating the location and identity of its actual command and control structure, with “commands encrypted with AES and accompanied by an elliptic curve signature to prevent takeover.”
The researchers found 13 commands within Wpeeper, listed below:
Wpeeper commands
Not only does all this indicate a frightening level of sophistication, but Wpeeper ceased its activities just days after discovery, either to hamper security efforts to track down its origins or to enable its current infected install base room to operate.
“Perhaps,” suggests XLab’s team, “the repackaged APKs served as downloaders for the Wpeeper backdoor, successfully evading antivirus detection. However, as long as there is network activity, there’s a chance of detection.”
It’s with this in mind that the team says “it might be strategically better to voluntarily stop network services, allowing the APKs to maintain their ‘innocent’ status in the eyes of antivirus software, increase their installation numbers, and only then reveal Wpeeper’s true capabilities.”
Wpeeper highlights the risks in sourcing apps from third-party stores. The malware “originated from repackaged applications in the UPtodown Store, where attackers embedded a small code snippet into regular APKs to…
