TimpDoor Malware Turns Devices Into Hidden Proxies

AH Malware encryption data theft virus NEW AH

McAfee has identified a new variation of an SMS-based phishing attack targeting users in the US and prompting users to install malware called Android/TimpDoor that effectively turns Android devices into a hardware-based backdoor for networks. The main distribution server associated with the attacks has been in place since late March, contains around 26 APKs for malicious apps in a directory titled ‘US’, and the server appeared to still be active. Those app files are sent to users via Internet-based SMS similar to the texts a user might see from a legitimate company that they’ve signed up to receive texts from. The latest version of the text messages contains a message indicating that an application needs to be downloaded in order to check new voice messages the user has received. Once downloaded and installed, victims of the attack will be able to access those messages, which are actually fake.

Meanwhile, in the background, TimpDoor starts up a Socks proxy that acts to redirect network traffic from a third-party server over an encrypted connection via a secure shell tunnel. That essentially allows access to networks that are currently connected to without the possibility of triggering network security measures. It also collects device identification information such as brand, model, OS version, mobile carrier, connection type, and public and local IP addresses. A network connection monitor and alarm manager in order to keep a constant check on the shell tunnel to keep it running. That could potentially let bad actors accomplish a number of secondary attacks ranging from using infected devices as proxies to distribute further spam and phishing emails, perform ad click fraud, or launch distributed denial-of-service attacks. Moreover, it could provide encrypted access to home or business networks themselves.

Background: Malware and similar software being spread via phishing through SMS is nothing new for Android. In fact, they have been relatively prevalent on mobile devices since smartphones first gained the ability to install applications and the method for delivering the malicious software hasn’t changed by a whole lot over that time period. More often than not, the texts are sent randomly to a select region. This most recent attempt to spread bad APKs was last updated in August and bears similarity to threats identified in 2017 and 2016 called MilkyDoor and DressCode. The latter of those appears to have been a predecessor to MilkyDoor and each used an attack vector that was based around creating backdoors into a network by turning the mobile devices effected into hidden proxies.


However, although there is no obvious connection between the new attack and those prior threats, TimpDoor seems to be more sophisticated as well. In particular, MilkyDoor uploaded collected data to a control server to obtain connection details but that’s already contained within TimpDoor’s code. TimpDoor then takes things further by using that information to “get the remote port to perform dynamic port forwarding and to periodically send updated device data.” It’s also more direct in that it doesn’t add in the back door later after starting out as an adware integrator but starts out with tunneling and proxy functionality as its primary purpose.

Impact: As many as 5,000 Android devices are likely affected according to McAfee. That could include some users in Canada as well since another directory was found on the server that bore the designation ‘CA’ and held the three most recent APKs. After spotting the scam and discovering the distribution server contacted the host of the server, who was reportedly unaware of the potential problem and ultimately deactivated the server. With that said, that doesn’t necessarily mean the overall threat is gone. The distribution server was highly active and still seemed to be active when it was discovered. So, for the time being, the phishing attack appears to have had a minimal impact, although it’s not implausible that the individual or group behind the attack would simply move to a different host.

To avoid these types of problems, the best practice is to avoid interacting with text messages from unknown sources and never install software offered from those via text. However, most service providers also offer some form of blocking feature for internet-based text messages that can also be activated by contacting the carrier or through a given carrier’s web interface. Finally, it’s a good idea to avoid installing applications from unverified sources, to begin with, and to install security software such as those offered by McAfee, Lookout, Avast, Norton, or Trend Micro.