New Android malware TimpDoor can convert devices into mobile backdoors

• TimpDoor can turn Android devices into hidden proxies.
• The Android malware has been active since March and is believed to have infected at least 5,000 devices across the US.

A new Android malware dubbed TimpDoor has been discovered by security experts. The malware is being distributed as part of a phishing campaign and is being sent to victims SMS messages. The attackers behind the campaign trick victims into downloading and installing a fake voice-message app, that contains TimpDoor.

Once the malware-laced app is installed a background service begins a Socks proxy server that redirects all network traffic via an encrypted connection from a third-party server. This allows attackers the ability to bypass security protections and access internal networks.

According to security experts at McAfee, who uncovered the new Android malware, TimpDoor could turn infected Android devices into mobile backdoors, which, in turn, could be leveraged by attackers to infiltrate home and corporate networks.

“Worse, a network of compromised devices could also be used for more profitable purposes such as sending spam and phishing emails, performing ad click fraud, or launching distributed denial-of-service attacks,” McAfee security researchers said in a report.

The researchers found that the malware has been active since March and is believed to have infected at least 5,000 devices across the US.

Modus operandi

The fake, malware-laced voice-message app is downloaded onto targeted Android devices from a remote server. The fake app is designed to look legitimate. However, whatever is displayed on the victims’ screen is fake.

“Everything on the main screen is fake. The Recents, Saved, and Archive icons have no functionality. The only buttons that work play the fake audio files. The duration of the voice messages does not correspond with the length of the audio files and the phone numbers are fake, present in the resources of the app,” McAfee researchers added. “Once the user listens to the fake messages and closes the app, the icon is hidden from the home screen to make it difficult to remove.”

Socks over SSH

Once TimpDoor is installed in a device, it starts a service in the background and begins collecting device data including device ID, brand, model, OS version, mobile carrier, connection type, and public/local IP address. The malware also uses a free geolocation service to obtain information such as country, region, city, latitude, longitude, public IP address, and ISP.

“Once the device information is collected, TimpDoor starts a secure shell (SSH) connection to the control server to get the assigned remote port by sending the device ID. This port will be later used for remote port forwarding with the compromised device acting as a local Socks proxy server,” McAfee researchers added.

The malware also established mechanisms, like monitoring network connectivity and setting up an alarm to continually track the SSH tunnel - all to ensure that the SSH connection remains persistently active.

TimpDoor not unique

According to the researchers, TimpDoor is not the first malware with the ability to convert Android devices into proxies and transfer network traffic using a Socks proxy via a SSH tunnel. The MilkyDoor malware, which is believed to be the successor of the DressCode malware, also came with similar capabilities.

“TimpDoor is the latest example of Android malware that turns devices into mobile backdoors—potentially allowing cybercriminals encrypted access to internal networks, which represents a great risk to companies and their systems,” McAfee researchers said. “The versions found on the distribution server and the simple proxy functionality implemented in them shows that this threat is probably still under development. We expect it will evolve into new variants.”