Security Experts:

Connect with us

Hi, what are you looking for?



‘TimpDoor’ Malware Turns Android Devices into Proxies

A newly discovered piece of Android malware creates a Socks proxy on infected devices, potentially allowing access to internal networks, McAfee reports.

A newly discovered piece of Android malware creates a Socks proxy on infected devices, potentially allowing access to internal networks, McAfee reports.

Dubbed TimpDoor, the threat is distributed through phishing text messages that attempt to trick users into installing a fake voice message app. As soon as the app is installed, however, a background service starts a Socks proxy to “redirect all network traffic from a third-party server via an encrypted connection through a secure shell tunnel.”

Not only do infected devices serve as backdoors, but the attackers could also abuse a network of compromised devices to send spam and phishing emails, perform ad click fraud, or launch distributed denial-of-service (DDoS) attacks, McAfee’s security researchers say.

The earliest malware variant was available in March, while the latest at the end of August, the researchers believe. The malware apparently infected at least 5,000 devices in a campaign targeting users in the United States since at least the end of March.

The phishing SMS messages inform the user they have two voice messages they need to review and also present them with a URL to follow. If the user clicks on the link, a fake web page is displayed, asking them to install an application to listen to the voice messages.

After installation, the fake app offers to render the voice messages, but hides its icon from the home screen as soon as the user completes this operation. In the background, however, a service is started without the user’s knowledge.

Next, the malware gathers a broad range of information, such as device ID, brand, model, OS version, mobile carrier, connection type, and public/local IP address. Afterwards, it starts a secure shell (SSH) connection to the control server and sends the device ID to receive an assigned remote port it would later use for remote port forwarding, and also ensures that the SSH connection is kept alive.

At the same IP address that hosted the fake voice application, the researchers found more APK files, which revealed that earlier versions of the malware used an HTTP proxy (LittleProxy), while newer ones switched to a Socks proxy (MicroSocks). The package name and control server URLs also changed.

TimpDoor, however, is not the first Android malware to turn devices into mobile proxies. MilkyDoor, an apparent successor of DressCode, was discovered last year with similar capabilities. While DressCode only installs a Socks proxy on the infected device, MilkyDoor also uses port forwarding via SSH, the same as TimpDoor.

However, there are numerous differences between TimpDoor and MilkyDoor, ranging from distribution (SMS phishing versus Google Play), to the SSH connection and proxy functionality. The older threat appears to be a more complete SDK, while the newer malware only has basic proxy functionality.

“TimpDoor is the latest example of Android malware that turns devices into mobile backdoors—potentially allowing cybercriminals encrypted access to internal networks, which represents a great risk to companies and their systems. The versions found on the distribution server and the simple proxy functionality implemented in them shows that this threat is probably still under development,” McAfee concludes.

Related: DressCode Malware Infects 400 Apps in Google Play

Related: Red Alert Android Trojan for Rent at $500 Per Month

Written By

Ionut Arghire is an international correspondent for SecurityWeek.

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Expert Insights

Related Content


Zendesk is informing customers about a data breach that started with an SMS phishing campaign targeting the company’s employees.


The release of OpenAI’s ChatGPT in late 2022 has demonstrated the potential of AI for both good and bad.


The FBI dismantled the network of the prolific Hive ransomware gang and seized infrastructure in Los Angeles that was used for the operation.

Malware & Threats

Microsoft plans to improve the protection of Office users by blocking XLL add-ins from the internet.


A new study by McAfee and the Center for Strategic and International Studies (CSIS) named a staggering figure as the true annual cost of...

Mobile & Wireless

Apple rolled out iOS 16.3 and macOS Ventura 13.2 to cover serious security vulnerabilities.

Mobile & Wireless

Technical details published for an Arm Mali GPU flaw leading to arbitrary kernel code execution and root on Pixel 6.

Mobile & Wireless

Apple’s iOS 12.5.7 update patches CVE-2022-42856, an actively exploited vulnerability, in old iPhones and iPads.