A newly discovered piece of Android malware creates a Socks proxy on infected devices, potentially allowing access to internal networks, McAfee reports.
Dubbed TimpDoor, the threat is distributed through phishing text messages that attempt to trick users into installing a fake voice message app. As soon as the app is installed, however, a background service starts a Socks proxy to “redirect all network traffic from a third-party server via an encrypted connection through a secure shell tunnel.”
Not only do infected devices serve as backdoors, but the attackers could also abuse a network of compromised devices to send spam and phishing emails, perform ad click fraud, or launch distributed denial-of-service (DDoS) attacks, McAfee’s security researchers say.
The earliest malware variant was available in March, while the latest at the end of August, the researchers believe. The malware apparently infected at least 5,000 devices in a campaign targeting users in the United States since at least the end of March.
The phishing SMS messages inform the user they have two voice messages they need to review and also present them with a URL to follow. If the user clicks on the link, a fake web page is displayed, asking them to install an application to listen to the voice messages.
After installation, the fake app offers to render the voice messages, but hides its icon from the home screen as soon as the user completes this operation. In the background, however, a service is started without the user’s knowledge.
Next, the malware gathers a broad range of information, such as device ID, brand, model, OS version, mobile carrier, connection type, and public/local IP address. Afterwards, it starts a secure shell (SSH) connection to the control server and sends the device ID to receive an assigned remote port it would later use for remote port forwarding, and also ensures that the SSH connection is kept alive.
At the same IP address that hosted the fake voice application, the researchers found more APK files, which revealed that earlier versions of the malware used an HTTP proxy (LittleProxy), while newer ones switched to a Socks proxy (MicroSocks). The package name and control server URLs also changed.
TimpDoor, however, is not the first Android malware to turn devices into mobile proxies. MilkyDoor, an apparent successor of DressCode, was discovered last year with similar capabilities. While DressCode only installs a Socks proxy on the infected device, MilkyDoor also uses port forwarding via SSH, the same as TimpDoor.
However, there are numerous differences between TimpDoor and MilkyDoor, ranging from distribution (SMS phishing versus Google Play), to the SSH connection and proxy functionality. The older threat appears to be a more complete SDK, while the newer malware only has basic proxy functionality.
“TimpDoor is the latest example of Android malware that turns devices into mobile backdoors—potentially allowing cybercriminals encrypted access to internal networks, which represents a great risk to companies and their systems. The versions found on the distribution server and the simple proxy functionality implemented in them shows that this threat is probably still under development,” McAfee concludes.