Beware of New Android Trojan That Executes Malicious Commands on Your Phone

Cybersecurity researchers at XLab have uncovered a new Android malware strain called “Wpeeper.”

This sophisticated backdoor Trojan has been designed to infiltrate Android systems and execute a wide range of malicious commands, posing a significant threat to unsuspecting users.

Wpeeper’s distribution strategy is particularly cunning.

The malware is being distributed through repackaged applications on the UPtodown app store, a popular third-party platform similar to Google Play.

By embedding a small code snippet into regular APKs, the attackers have managed to bypass antivirus detection.

The modified APKs currently show zero detections on VirusTotal.

The malware’s network operations are equally sophisticated, featuring a multi-level command-and-control (C2) architecture that relies on compromised WordPress sites as relay servers.

Is Your Network Under Attack? - Read CISO’s Guide to Avoiding the Next Breach - Download Free Guide

This approach effectively conceals the true C2 server, making it more challenging for security researchers and authorities to track and disrupt the operation.

Extensive Capabilities and Encrypted Commands

Wpeeper is a typical backdoor Trojan for Android systems, supporting many malicious functions.

These include collecting sensitive device information, managing files and directories, uploading and downloading data, and executing arbitrary commands on the infected device.

The most notable feature of Wpeeper is its use of encryption and digital signatures to protect its network traffic and commands.

All communications between the malware and the C2 servers are encrypted using AES, and an elliptic curve signature accompanies the commands to prevent unauthorized takeover or tampering.

Abrupt Halt and Potential Larger Scheme

Researchers at XLab have been closely monitoring Wpeeper’s activities and observed an abrupt halt in the campaign on April 22.


Integrate ANY.RUN in Your Company for Effective Malware Analysis

Are you from SOC, Threat Research, or DFIR departments? If so, you can join an online community of 400,000 independent security researchers:

  • Real-time Detection
  • Interactive Malware Analysis
  • Easy to Learn by New Security Team members
  • Get detailed reports with maximum data
  • Set Up Virtual Machine in Linux & all Windows OS Versions
  • Interact with Malware Safely

If you want to test all these features now with completely free access to the sandbox:

The C2 servers and downloaders suddenly stopped providing services, leading the researchers to suspect that this could be part of a larger strategic move by the attackers.

One possible explanation is that the attackers may have intentionally stopped the network activity to allow the repackaged APKs to maintain their “innocent” status in the eyes of antivirus software.

APK file info
APK file info

This could enable the malware to increase its installation numbers and reveal its true capabilities later, potentially catching security teams off guard.

While XLab does not have direct data on the Wpeeper distribution scale, their analysis of Google and Passive DNS (PDNS) results suggests that the infection is at the thousand level without widespread propagation.

Downloader's PDNS
Downloader’s PDNS

However, the researchers emphasize that the threat remains ongoing, as the relevant samples continue to evade detection by security firms.wpeeper_google.png

Detailed Analysis of Wpeeper’s Functionality

The researchers have thoroughly analyzed Wpeeper’s functionality, shedding light on its inner workings.

Family: Wpeeper

MD5: 8e28f482dab8c52864b0a73c3c5c7337

Magic: ELF 64-bit LSB pie executable, ARM aarch64, version 1 (SYSV), dynamically linked, interpreter /system/bin/linker64, BuildID[sha1]=9fa32612558fab9480496f6b31fa5426ae8885d4, stripped

Packer: None

Obtaining Command-and-Control Servers

Wpeeper uses two methods to populate its list of C2 servers.

The first is by decoding the embedded C2 servers within the malware sample, while the second is by reading and decrypting the “store.lock” file, which contains additional C2 server information and other configuration data.

Considering a store.lock generated after Wpeeper has run on a test device for some time
Considering a store.lock generated after Wpeeper has run on a test device for some time

Wpeeper employs the libcurl library to construct POST requests for communicating with the C2 servers.

The malware uses the Cookie and Session fields in the HTTP headers to differentiate between different types of requests, such as beacons, command requests, and result uploads.

struct c2info


uint32 lenOfC2;

char[lenOfC2] C2s;

uint32 lenOfCookie;

char[lenOfCookie] cookie;

uint32 flag;

uint32 id;

uint32 flag;

uint32 interval;


The network traffic is further protected by the use of AES encryption and elliptic curve digital signatures, ensuring the integrity and confidentiality of the communications.

Command Execution and Supported Functionalities

Wpeeper supports 13 different commands, ranging from collecting device information and package lists to downloading and executing arbitrary files.

1collect device info
2collect pkg list
3update c2
4set interval
5update pubkey
7collect arbitrary file info
8collect arbitrary dir info
9exec arbitrary cmd via shell
10download from C2 , then exec
11update and exec
13download from arbitrary URL, then exec

The researchers have provided detailed information on the various commands and their corresponding functionalities.

Through their command tracking and analysis, the researchers have gained valuable insights into the attackers’ tactics and the overall structure of the Wpeeper operation.

The researchers have identified 45 C2 servers used by Wpeeper, most of which are compromised WordPress sites serving as C2 redirectors.

This multi-layered approach helps shield the true C2 server from detection while also introducing potential reliability issues if the compromised sites are discovered and taken down.

Among the nine hardcoded C2 servers, the researchers believe that one,, is likely owned by the attackers themselves, providing an additional layer of control and resilience to the operation.

The researchers at XLab have provided a comprehensive overview of the Wpeeper Android Trojan, highlighting its sophisticated design, extensive capabilities, and the potential larger scheme behind the attackers’ actions.

They emphasize the ongoing nature of the threat and invite peers with unique perspectives and administrators of affected websites to provide further clues and insights.

As the cybersecurity landscape continues to evolve, users, security professionals, and researchers must remain vigilant and collaborate in the fight against emerging threats like Wpeeper.

By sharing information and working together, the security community can better protect Android users from the dangers posed by this sophisticated malware.










C2 Redirectors




Combat Sophisticated Email Threats With AI-Powered Email Security Tool -> Try Free Demo 

Divya is a Senior Journalist at Cyber Security news covering Cyber Attacks, Threats, Breaches, Vulnerabilities and other happenings in the cyber world.