Researchers have uncovered an active phishing campaign which targets Android devices in order to turn them into mobile proxies.
On Wednesday, cybersecurity firm McAfee said the campaign is spreading Android/TimpDoor, a malicious .APK which masquerades as a voice application.
TimpDoor circumvents the security procedures and protections offered by Google's Play Store. The attackers behind the malware have not sought to host their malicious software in the app repository; instead, the malware spreads via text messages containing a malicious link to the fake app.
The McAfee Mobile Research team says that once installed, the fake app launches a background service which starts a Socks proxy which redirects network traffic from a third-party server without user knowledge.
The campaign has been active since at least the end of March, with US Android users reporting the receipt of strange text messages. The text messages inform potential victims that they have two voice messages to 'review,' but in order to do so, they must click a link.
If a user clicks this link, a fraudulent web page is opened. According to McAfee, the page pretends to be a "popular classified advertisement website" and asks the user to install the app.
While still masquerading as a legitimate service, the website includes instructions on how to disable "Unknown Sources" in the Android OS to install the app and listen to the messages.
This is a necessary step for installing apps installed outside of Google Play or on devices which have not been jailbroken.
Once installed, the app appears to be simple voice software -- but lacks any true functionality beyond hosting a few fake audio files. If the app is closed, the icon is hidden while the background process begins in creating the proxy, collecting device information along the way.
Network traffic is then sent via an encrypted connection through an SSH tunnel.
"[This] allows potential access to internal networks and bypassing network security mechanisms such as firewalls and network monitors," the McAfee Mobile research team said.
"Once the device information is collected, TimpDoor starts a secure shell (SSH) connection to the control server to get the assigned remote port by sending the device ID," McAfee says. "This port will be later used for remote port forwarding with the compromised device acting as a local Socks proxy server."
As the traffic and payload are both encrypted, it is possible that devices running TimpDoor could be hijacked in order to provide stealthy access to enterprise and home networks.
Furthermore, a full, enslaved network of TimpDoor-compromised devices could be used as a bot for sending phishing emails, performing ad-click fraud, or launch distributed denial-of-service (DDoS) attacks.
McAfee tracked the phishing attempts and found the main distribution server of the TimpDoor malware. In total, 26 variants were discovered, with the latest version of the malicious .APK timestamped at the end of August.
The researchers believe that at least 5,000 devices have been infected to date.
"Although this threat has not been seen on Google Play, this SMS phishing campaign distributing TimpDoor shows that cybercriminals are still using traditional phishing techniques to trick users into installing malicious applications," the researchers say.
McAfee believes that the malware has some way to go before evolving into a wider threat, and given the code's simplistic functionality, the firm believes it is still under development. However, the firm also expects the malware to eventually evolve into new variants.
The hosts of the phishing domains were notified and at present are no longer active.
TimpDoor is not the only example of malware which targets mobile devices to turn them into covert proxies. Discovered in 2017 by Trend Micro, the MilkyDoor Android malware -- believed to be the successor of DressCode -- conducted the same malicious activities by spreading via Trojanized apps in Google Play.