A new attack campaign has been found to carry the newly discovered TimpDoor Android malware. It is distributed using phishing email messages and one of its main goals is to infiltrate the internal networks. Due to the fact that it features non-standard behavior any infections should be removed as soon as possible.
TimpDoor Android Malware Infects Devices in a Large-Scale Attack Campaign
Android devices are facing another major threat as security experts raised alerts of a new malware called TimpDoor. The infections are done by sending out [wplinkpreview url=”https://sensorstechforum.com/detect-remove-fake-phishing-pages/”]phishing emails to the target recipients. The body contents of these messages pose as notifications from well-known companies, vendors or portals advertising a fake voice message app. If installed it will start a SOCKS proxy server which will redirect all network traffic from a third-party server. This connection is encrypted and constantly maintained.
The first infections carrying this threat were detected in March, several months later in August another worldwide campaign was detected. According to the reports at least 5,000 devices were affected by it in the United States alone.
The proxy server instituted by the TimpDoor Android Malware also starts a comprehensive data collection procedure. It will scan the local device for information such as the device’s brand, model, Android version, mobile carrier, connection type and IP address. When the secure connection to the hacker-controlled server is established this collection of data will be reported.
During the analysis of the contaminated strains the experts discovered that the infections additionally carried other APK installation files. In the case of the made infections they contained the proxy software. However this can easily be tweaked into delivering other malicious payloads as well. Essentially the TimpDoor Android malware seeks to create proxy connections which would allow the hackers to intrude onto the local networks that house the devices. This is done in a stealth manner which shows that the criminals will probably use this possibility at a certain point in time. If all attacks are caused by a single hacking collective then this would mean that they will have secure connections to a lot of internal networks around the world. Some of the possible consequences are the following:
- Surveillance — The hackers will have the ability to spy on the infected devices in real time.
- Additional Payload Delivery — The active infections will be used to install other virus threats.
- Device Manipulation — The underlying software can modify important parameters of the infected devices.