Researchers discovered a new active phishing campaign that is targeting Android based devices to turn them into mobile proxies. The campaign is spreading Android/TimpDoor, which is a malicious APK that is disguised as a voice application. The malware spreads via text messages that contain a malicious link to the fake application. It’s believed that the campaign has been active since the end of March. Victim’s receive a text message saying that they have two messages to review, however they have to click the link in order to do so. If the link is clicked, the victim will be taken to a fake web page that tries to trick victims into being a “popular classified advertisement website.” The page also tries to get the victim to install the app. The web page contains instructions that explain how to disable “Unknown Sources” in order for successful installation. Once the app is installed, it appears to be a basic voice software. It has no functionality beyond hosting a few fake audio files. If closed, the app’s icon is hidden, and the background process starts creating the proxy and collecting information about the device. Network traffic will then be sent through an encrypted connection via an SSH tunnel which allows potential access to internal networks and bypasses network security mechanisms. According to researchers, “Once the device information is collected, TimpDoor starts a secure shell (SSH) connection to the control server to get the assigned remote port by sending the device ID, this port will be later used for remote port forwarding with the compromised device acting as a local Socks proxy server.” There have been 26 TimpDoor variants seen but researchers believe that the malware still needs work before it could be a wider threat.
In order to avoid being infected by TimpDoor, users are advised to always be cautious when opening links from unfamiliar sources. Even if a user receives a link from a familiar source, it is still a good idea to confirm that the user actually sent the link. A service such as Binary Defense’s typo-squatting monitoring could prevent phishing attacks by knowing if any newly registered domains mirror your own. Training for employees is always important to make them aware of common phishing attacks and what they could look like as well as how to tell if an email is malicious. Security training can also teach employees to understand that when something seems suspicious, they should reconfirm the request, whether it be with a phone call or email back, which is not contained within the same thread. As always, veer on the side of caution and always confirm.