Google's security team discovered a new strain of Android malware, named Tizi, and which has been used primarily to target users in African countries.
Categorized as spyware, Google says Tizi can carry out a wide range of operations, but most focus on social media apps and activity.
According to Google Threat Analysis Group and Google Play Protect security engineers, Tizi can be used for the following malicious purposes:
Google engineers say they spotted the Tizi spyware in September 2017, when automatic scans with Google Play Protect —an Android app security scanner incorporated into the Google Play Store app— discovered a Tizi-infected app that was installed on a user's device via the official Google Play Store.
After investigating older versions of apps uploaded on the Play Store, they spotted more Tizi-infected apps going back as far as October 2015.
Google says it suspended the app's developer account and then used the Google Play Store app to uninstall the Tizi apps from infected devices.
According to data gathered by Google, most infected users were located in African countries, albeit is unclear if Tizi's author or distributor is located in Africa as well.
Furthermore, there was no substantial effort to trick users into installing the apps en-masse, and security researchers believe the spyware was most likely used in targeted attacks against only a small, but very well-chosen, number of targets.
Google says the spyware's capabilities are based around using old exploits that only work on older unatched Android devices. "All of the listed vulnerabilities are fixed on devices with a security patch level of April 2016 or later, and most of them were patched considerably prior to this date," Google said.
In addition, Google also recommends the following five steps to keeping Android devices safe from malware:
Apps known to have been infected with Tizi:
com.press.nasa.com.tanofresh (4d780a6fc18458311250d4d1edc750468fdb9b3e4c950dce5b35d4567b47d4a7) com.dailyworkout.tizi (7c6af091a7b0f04fb5b212bd3c180ddcc6abf7cd77478fd22595e5b7aa7cfd9f) com.system.update.systemupdate (7a956c754f003a219ea1d2205de3ef5bc354419985a487254b8aeb865442a55e)