Timpdoor is the recent Android malware that has been discovered by McAfee mobile researcher’s team that turns mobile into a backdoor. This Android malware is spreading through smishing attack, and McAffe named this malware as Timpdoor.  (SMISHING means SMS Phishing where phishing attack carried out using the text messages or SMS)

Android Malware – Timpdoor:

In this attack, attackers sending an SMS that trick victim to download malicious voice message app. once this fake application is installed then it start a proxy service in the background. This proxy service creates a tunnel and all the network traffic start getting bypass using this tunnel, providing potential access to the attacker of internal traffic and bypassing the firewall and other security perimeters. Mcaffe detected this malware as TimpDoor.

Devices that are infected by this malware can be used as a backdoor in home or business network. This can be used to steal personal information of the user related to finance and social media. Also, a group of the infected device can be used to perform the DDOS activity, phishing email activity, and ad click activity.

Also, check: DemonBot using cloud infrastructure to perform the DDOS attack

first, this attack was seen in March 2018 and now again it has been active since August.

Timpdoor, Android Malware, Android virus

If the user clicks on the link received in SMS, then it will redirect the user on a webpage that pretends to be the popular webpage and ask the user to install the app to listen to the voice message.

Android Virus, Android Threat, Timpdoor, Android Malware
A fake website asking the user to download a voice app

once a user downloads the voice app then it will start showing its user interface. whatever icons will be shown in the user interface all are fake, only voice message play option will work and there also the audio length is not the same as shown in time. once the user closes the voice message app then it is hidden from the home screen and become difficult to remove. Meanwhile, this app will start a service in the background.

Android Virus, Android Malware, Android threats, Timpdoor
The main interface of voice app
Android virus, Android Threat, Android Malware, Timpdoor
Service running in the background

When service is started then this Android Malware Timpdoor start gathering information from user’s mobile like device model, device ID, operating system, carrier name, connection type and local or public IP address etc. This Android malware Timpdoor use a free geolocation service to find out the country, region information.

Below is the code that Timpdoor execute to create a connection and check the availability of device time to time by sending an update message.

Android Virus, Android malware, Android Threats, Timpdoor
Execution Code- Timpdoor

McAffe checked the IP address 199.192.19[.]18 that hosted this Android malware named Timpdoor and found there are multiple applications exists in that server that contains the same android malware Timpdoor.

Android malware, Android Threats, Android Virus, Timpdoor
Android Malware hosting applications

Voiceapp.apk is the latest application that has been recently modified and being used to spread Android Malware Timpdoor.

Timpdoor is not the first Android malware that turns phones into the mobile proxy. Milkydoor was discovered in April 2017 that did the same job. Both applications were uploaded in google play as the Trojanized application. However, Milkydoor was much dangerous than Timpdoor as it was hosting adware and downloader functionality with mobile proxy service, while Timpdoor has only basic proxy functionality.

At this time, McAfee has reported this IP address as malicious IP address that host Android malware like Timpdoor. Also, attack campaign is no longer active but be aware anyone can forward old message and application are still hosted on mentioned IP address.

Malicious IP address, Android malware, Android virus, Android threats, Timpdoor
IP reputation on IBM X-force exchange

How to be safe?

  1. Keep your phone up to date with the latest patch released by Google Android or device manufacturer.
  2. Do not install any application from external sources.
  3. In Google Play store also there is multiple application with the same name. In that case, please verify the genuine developer of that application and then install from the same developer, also please go through from reviews and comments.
  4. Use a good and well-known antivirus on your phone.
  5. if you find any activity happening in your phone without manual interference like phone screen turning on and off but there is no notification. Phones battery being empty very soon than normal. Getting advertisement or pop-ups on your screen, in that case, please do the factory reset your phone or contact to support.


If need any help or want to add something please use the comment box.