New Android malware creates a Socks proxy on infected devices, potentially allowing access to internal networks, researchers said in a report.
TimpDoor ends up distributed through phishing text messages that tricks users into installing a fake voice message app, said researchers at McAfee.
“If the fake application is installed, a background service starts a Socks proxy that redirects all network traffic from a third-party server via an encrypted connection through a secure shell tunnel—allowing potential access to internal networks and bypassing network security mechanisms such as firewalls and network monitors,” said McAfee researcher Carlos Castillo in a post.
Not only do infected devices serve as backdoors, but the attackers could also abuse a network of compromised devices to send spam and phishing emails, perform ad click fraud, or launch distributed denial-of-service (DDoS) attacks, Castillo said.
The malware was out in March and was operating through the end of August, researchers said. The malware infected at least 5,000 devices in a campaign targeting users in the United States.
The phishing SMS messages inform the user they have two voice messages they need to review and also present them with a URL to follow. If the user clicks on the link, a fake web page is displayed, asking them to install an application to listen to the voice messages.
After installation, the fake app offers to render the voice messages, but hides its icon from the home screen as soon as the user completes this operation. In the background, however, a service is started without the user’s knowledge.
The malware then gathers a broad range of information, such as device ID, brand, model, OS version, mobile carrier, connection type, and public/local IP address. It then starts a secure shell (SSH) connection to the control server and sends the device ID to receive an assigned remote port it would later use for remote port forwarding, and also ensures the SSH connection is kept alive.
At the same IP address that hosted the fake voice application, the researchers found more APK files, which revealed that earlier versions of the malware used an HTTP proxy (LittleProxy), while newer ones switched to a Socks proxy (MicroSocks). The package name and control server URLs also changed.
“TimpDoor is the latest example of Android malware that turns devices into mobile backdoors—potentially allowing cybercriminals encrypted access to internal networks, which represents a great risk to companies and their systems,” Castillo said. “The versions found on the distribution server and the simple proxy functionality implemented in them shows that this threat is probably still under development. We expect it will evolve into new variants.”