BleepingComputer reports that hacked WordPress sites have been used as relay command-and-control servers by the novel Wpeeper Android malware, which has been spread via a pair of app stores impersonating the Uptodown App Store and is believed to have already compromised thousands of Android devices.
Using breached WordPress sites across various hosts and locations as C2 relays has enabled Wpeeper not only to conceal its actual C2 servers but also to strengthen its defenses against potential disruptions or shutdowns, a report from QAX's XLab team showed.
Aside from enabling the retrieval of extensive information on compromised devices and obtaining all of the devices' installed apps, Wpeeper also allows the receipt of new C2 server addresses and public key for command signature verification and the adjustment of communication frequencies with the C2 server. Wpeeper also had the capability to facilitate arbitrary file downloads, specific file-related information retrieval, command execution, and malware updating and deletion, said researchers, who added that the activity of the malware ended on April 22 likely due to attackers opting to conceal malicious operations.
