Google Detects And Removes Tizi Android Spyware From Google Play Store
Google has detected and blocked a fully-featured backdoor known as Tizi that installs spyware onto the Android devices, which has been used mainly to target users from African countries. The malware is used to steal sensitive data from their owners’ social media profiles.
The Google Play Protect security team first discovered the Tizi spyware in September 2017 through automatic scans with Google Play Protect (an Android application security scanner built into the Google Play Store application). They found a trojanized app called ‘MyTizi’ installed on a user’s device via the official Google Play Store that could root devices by exploiting older vulnerabilities. On further investigation of older versions of apps, the team found more Tizi-infected apps dating back to October 2015.
According to Google, Tizi was used in targeted attacks against 1,300 devices in a number of African countries, particularly Kenya, Nigeria, and Tanzania. Google’s Threat Analysis Group and the security engineers of Google Play Protect, said that Tizi can be used for the following malicious purposes, such as:
- Stealing data from popular social networking applications such as Facebook, Twitter, WhatsApp, Viber, Skype, LinkedIn and Telegram.
- Recording calls from WhatsApp, Viber, and Skype.
- Recording ambient audio through the microphone.
- Clicking pictures of the screen without notifying the user.
- Sending and intercepting SMS messages on infected devices.
- Accessing contacts, calendar events, call logs, photos, Wi-Fi encryption keys, and a list of all locally installed apps.
- When it first infects users, it sends the device’s GPS coordinates via SMS to a C&C server.
- Subsequent communications with the attacker’s C&C server takes place via HTTPS, or in some isolated cases, via MQTT.
- Rooting devices via one of the following vulnerabilities: CVE-2012-4220, CVE-2013-2596, CVE-2013-2597, CVE-2013-2595, CVE-2013-2094, CVE-2013-6282, CVE-2014-3153, CVE-2015-3636, CVE-2015-1805.
Many of the Tizi-infected apps are being advertised on social media websites and 3rd-party app stores, tricking users into installing them. Google says it has suspended the app’s developer account and then used the Google Play Store app to uninstall the Tizi apps from the infected devices.
Google says that spyware capabilities are based on the use of old exploits that work only on older outdated Android devices. “All vulnerabilities listed are fixed on devices with a security patch level of April 2016 or later, and most of them were patched considerably before this date.”
The Google Play Protect team wrote, “If a Tizi app is unable to take control of a device because the vulnerabilities it tries to use are all patched, it will still attempt to perform some actions through the high level of permissions it asks the user to grant to it, mainly around reading and sending SMS messages and monitoring, redirecting, and preventing outgoing phone calls.”
How to protect your Android device from spyware?
It is suggested to follow the below mentioned steps to keep your Android device safe from spyware.
- Always keep your device up-to-date with the latest security patches.
- Protect your smartphone with a lock screen (such as PIN, pattern, or password) to avoid unauthorized access.
- Only buy, download or install apps from the official Play Store and check permission for each app.
- Track your smartphone.
- Ensure Google Play Protect is enabled.