A recent research from cybersecurity firm McAfee exposed an active phishing campaign that turns Android devices into mobile proxies. The McAfee mobile research team stated that the phishing attack was performed by sending a malicious code, named as Android/TimpDoor, via text messages that trick users into downloading a fake voice-message app. The installation of the fake application enables attackers to steal the device information and use the infected mobile devices as network proxies.
The researchers stated that the devices infected with TimpDoor could serve as mobile backdoors for stealthy access to the device’s internal networks. Once installed, the fake application runs a Socks proxy redirecting the device’s network traffic through a secure shell connection bypassing the network security mechanisms offered by Google Play Store.
“Once the device information is collected, TimpDoor starts a secure shell (SSH) connection to the control server to get the assigned remote port by sending the device ID,” the researchers stated.
The compromised devices could also be used for sending spam and phishing emails, performing ad click fraud, or launching distributed denial-of-service attacks, according to the research report.
“Based on our analysis of 26 malicious APK files found on the main distribution server, the earliest TimpDoor variant has been available since March, with the latest APK from the end of August. According to our telemetry data, these apps have infected at least 5,000 devices. The malicious apps have been distributed via an active phishing campaign via SMS in the United States since at least the end of March. McAfee notified the unwitting hosts of the phishing domains and the malware distribution server; at the time of writing this post we have confirmed that they are no longer active,” the research report stated.