Google Play Protect—a security feature that uses machine learning and app usage analysis to check devices for potentially harmful apps—recently helped Google researchers to identify a new deceptive family of Android spyware that was stealing a whole lot of information on users.
Discovered on targeted devices in African countries, Tizi is a fully-featured Android backdoor with rooting capabilities that installs spyware apps on victims' devices to steal sensitive data from popular social media apps like Facebook, Twitter, WhatsApp, Viber, Skype, LinkedIn, and Telegram.
"The Google Play Protect security team discovered this family in September 2017 when device scans found an app with rooting capabilities that exploited old vulnerabilities," Google said in a blog post. "The team used this app to find more applications in the Tizi family, the oldest of which is from October 2015."Most Tizi-infected apps are being advertised on social media websites and 3rd-party app stores, tricking users into installing them.
Once installed, the innocent looking app gains root access of the infected device to install spyware, which then first contacts its command-and-control servers by sending an SMS text message with the GPS coordinates of the infected device to a specific number.
Here's How Tizi Gains Root Access On Infected Devices
For gaining root access, the backdoor exploits previously disclosed vulnerabilities in older chipsets, devices, and Android versions, including CVE-2012-4220, CVE-2013-2596, CVE-2013-2597, CVE-2013-2595, CVE-2013-2094, CVE-2013-6282, CVE-2014-3153, CVE-2015-3636, and CVE-2015-1805.
If the backdoor unable to take root access on the infected device due to all the listed vulnerabilities being patched, "it will still attempt to perform some actions through the high level of permissions it asks the user to grant to it, mainly around reading and sending SMS messages and monitoring, redirecting, and preventing outgoing phone calls, " Google said.
Tizi spyware also been designed to communicate with its command-and-control servers over regular HTTPS or using MQTT messaging protocol to receive commands from the attackers and uploading stolen data.
The Tizi backdoor contains various capabilities common to commercial spyware, such as
- Stealing data from popular social media platforms including Facebook, Twitter, WhatsApp, Viber, Skype, LinkedIn, and Telegram.
- Recording calls from WhatsApp, Viber, and Skype.
- Sending and receiving SMS messages.
- Accessing calendar events, call log, contacts, photos, and list of installed apps
- Stealing Wi-Fi encryption keys.
- Recording ambient audio and taking pictures without displaying the image on the device's screen.
So far Google has identified 1,300 Android devices infected by Tizi and removed it.
🔐 Mastering API Security: Understanding Your True Attack Surface
Discover the untapped vulnerabilities in your API ecosystem and take proactive steps towards ironclad security. Join our insightful webinar!Join the Session
Majority of which were located in African countries, specifically Kenya, Nigeria, and Tanzania.
How to Protect your Android device from Hackers?
Such Android spyware can be used to target your devices as well, so you if own an Android device, you are strongly recommended to follow these simple steps in order to protect yourself:
- Ensure that you have already opted for Google Play Protect.
- Download and install apps only from the official Play Store, and always check permissions for each app.
- Enable 'verify apps' feature from settings.
- Protect your devices with pin or password lock so that nobody can gain unauthorized access to your device when remains unattended.
- Keep "unknown sources" disabled while not using it.
- Keep your device always up-to-date with the latest security patches.