TimpDoor Android malware turning devices into hidden proxies

Android users in North America are the current target of TimpDoor malware.

The McAfee Mobile Research team has identified an active phishing campaign that traps users by sending an SMS to influence them on downloading and installing an Android malware app TimpDoor. It is a fake voice-message app that allows attackers to infect the devices and use them as network proxies, without raising suspicion.

Once TimpDoor is installed, a Socks proxy service is initiated in the background, which is responsible for redirecting the entire traffic on the network from a third-party server through an encrypted connection facilitated by a secure shell tunnel. This lets attackers get access to internal networks of the system after evading the implemented network security methods like network monitors and firewalls.
TimpDoor, McAfee researchers say, is malicious .APK that has been presented as a voice application. This app can easily circumvent the security measures by Google’s Play Store. However, the attackers aren’t hosting the Android malware in the app repository but it is being distributed as text messages that contain a link to this app. After invading the system, TimpDoor can convert the infected devices into mobile backdoors in order to compromise home and corporate networks. Some other probable outcomes of this fake app, identified by McAfee researchers in their report, include:

“Worse, a network of compromised devices could also be used for more profitable purposes such as sending spam and phishing emails, performing ad click fraud, or launching distributed denial-of-service attacks,” wrote Carlos Castillo of McAfee in his blog post.

The campaign has been active since late March while android users in the US are the key targets of this campaign. The strange SMS messages inform the recipients that there are two voice messages that they should “review” and to access them, they need to click on an embedded link.

Researchers believe that so far this campaign has claimed 5,000 devices in the US. A remote server is used to host the fake app, which is designed to appear genuine. They noted that everything about the app is fake apart from the buttons that play the audio files:
“Everything on the main screen is fake. The Recents, Saved, and Archive icons have no functionality. The only buttons that work play the fake audio files. The duration of the voice messages does not correspond with the length of the audio files and the phone numbers are fake, present in the resources of the app.”

When the user has listened to the fake messages and closed the app, the icon remains active in the background but is not visible on the home screen. This makes it difficult to remove the app. The Socks service also works secretly and collects crucial device data including brand, device ID, OS version, connection type, mobile carrier, model, and public or local IP address.

Service running in the background. – The main interface of the fake voice messages app. (Image credit: McAfee)

Using a free geolocation service, the Android malware can acquire information about the country, region, ISP, city, and latitude/longitude too. Afterward, a secure shell (SSH) connection is initiated to control the server and obtain the remote port to use it for remote port forwarding via making the device a local Socks proxy server.

Researchers acknowledge that TimpDoor although not unique but does prove that Android malware can easily convert devices into mobile backdoors to let cybercriminals access internal networks. The threat is in its developmental stages as yet but it is expected to evolve into new variants soon.