Google has discovered and blocked a new potentially harmful application(PHA) named Tizi, a backdoor family with rooting capabilities that was used to mainly target attack against Android devices in African countries, specifically: Kenya, Nigeria, and Tanzania.
Tizi is a backdoor that installs malware on Android devices and steals sensitive data from the users’ social media profiles. The Google Play Protect security team first discovered the spyware in September 2017 through Google Play Protect device scans. They found a trojan app called MyTizi installed on an Android device that exploited old vulnerabilities with rooting capabilities. On digging deeper, the team found more applications being infected by Tizi, the oldest of which is from October 2015.
According to Google, 1300 devices were infected by Tizi and these type of PHA owners targets a small and specific number of users to achieve their goal and spend some substantial amount of time and money to create and install such spyware.
How does Tizi Work?
Tizi first roots the device with CVE-2012-4220, CVE-2013-2596, CVE-2013-2597, CVE-2013-2595, CVE-2013-2094, CVE-2013-6282, CVE-2014-3153, CVE-2015-3636, CVE-2015-1805 vulnerabilites.
It then steals sensitive data from popular social networking apps such as Facebook, Twitter, WhatsApp, Viber, Skype, LinkedIn, and Telegram such as
- Recording calls from WhatsApp, Viber, and Skype
- Sending and receiving SMS messages
- Take pictures without displaying on screen
- Recording ambient audio through the microphone
- Accessing contacts, calendar events, call logs, photos, Wi-Fi encryption keys, and a list of all locally installed apps.
After recording the data, it then sends the device’s GPS coordinates via SMS to its command and control servers. Later, C&C communications are performed via HTTPS, or via MQTT protocol.
When Google got aware of this spyware, it immediately disabled the Tizi-infected apps on affected devices through Google Play Protect and also notified the affected users. The company found the Tizi app developers promoting to install the infected apps from Google Play Store on their website and social media. Eventually, the team suspended the developer’s accounts from Play.
It also updated the company’s on-device security services with the information from the Tizi apps.
How To Protect Your Android Device From Tizi Spyware?
Prevention is better than cure. It’s always suggested to take precautions before some spyware attacks your smartphone and wait for Google to fix the issue. You can protect your Android device from Tizi with the following steps:
- Always keep your device up-to-date with the latest security patches.
- Check for any unreasonable permissions before installing an app.
- Enable a screen lock such as PIN, pattern, or password to avoid unauthorized access.
- Track your smartphone.
- Ensure Google Play Protect is enabled.
Google says that spyware could only exploit older Android devices and “All vulnerabilities listed are fixed on devices with a security patch level of April 2016 or later, and most of them were patched considerably before this date. If a Tizi app is unable to take control of a device because the vulnerabilities it tries to use are all patched, it will still attempt to perform some actions through the high level of permissions it asks the user to grant to it, mainly around reading and sending SMS messages and monitoring, redirecting, and preventing outgoing phone calls.”