Tizi spyware

Google's security team discovered a new strain of Android malware, named Tizi, and which has been used primarily to target users in African countries.

Categorized as spyware, Google says Tizi can carry out a wide range of operations, but most focus on social media apps and activity.

According to Google Threat Analysis Group and Google Play Protect security engineers, Tizi can be used for the following malicious purposes:

⌯ Can steal data from popular social media apps such as Facebook, Twitter, WhatsApp, Viber, Skype, LinkedIn, and Telegram.
⌯ Can record calls from WhatsApp, Viber, and Skype.
⌯ Can record ambient audio through the microphone.
⌯ Can take pictures of the screen without alerting the user.
⌯ Can send and intercept SMS messages on infected devices.
⌯ Can access contacts, calendar events, call logs, photos, Wi-Fi encryption keys, and a list of all locally installed apps.
⌯ When it first infects users, it sends the device's GPS coordinates via SMS to a C&C server.
⌯ Subsequent communications with the attacker's C&C server takes place via HTTPS, or in some isolated cases, via MQTT.
⌯ Can root devices via one of the following vulnerabilities: CVE-2012-4220, CVE-2013-2596, CVE-2013-2597, CVE-2013-2595, CVE-2013-2094, CVE-2013-6282, CVE-2014-3153, CVE-2015-3636, CVE-2015-1805.

Tizi-infected apps were around since 2015

Google engineers say they spotted the Tizi spyware in September 2017, when automatic scans with Google Play Protect —an Android app security scanner incorporated into the Google Play Store app— discovered a Tizi-infected app that was installed on a user's device via the official Google Play Store.

After investigating older versions of apps uploaded on the Play Store, they spotted more Tizi-infected apps going back as far as October 2015.

Google says it suspended the app's developer account and then used the Google Play Store app to uninstall the Tizi apps from infected devices.

Tizi used primarily against African users

According to data gathered by Google, most infected users were located in African countries, albeit is unclear if Tizi's author or distributor is located in Africa as well.

Tizi infection chart

Furthermore, there was no substantial effort to trick users into installing the apps en-masse, and security researchers believe the spyware was most likely used in targeted attacks against only a small, but very well-chosen, number of targets.

Google says the spyware's capabilities are based around using old exploits that only work on older unatched Android devices. "All of the listed vulnerabilities are fixed on devices with a security patch level of April 2016 or later, and most of them were patched considerably prior to this date," Google said.

In addition, Google also recommends the following five steps to keeping Android devices safe from malware:

1) Check permissions: Be cautious with apps that request unreasonable permissions. For example, a flashlight app shouldn't need access to send SMS messages.
2) Enable a secure lock screen: Pick a PIN, pattern, or password that is easy for you to remember and hard for others to guess.
3) Update your device: Keep your device up-to-date with the latest security patches.
4) Locate your device: Practice finding your device, because you are far more likely to lose your device than install a PHA.
5) Google Play Protect: Ensure Google Play Protect is enabled.

Google Play Protect

Apps known to have been infected with Tizi:

com.press.nasa.com.tanofresh (4d780a6fc18458311250d4d1edc750468fdb9b3e4c950dce5b35d4567b47d4a7)
com.dailyworkout.tizi (7c6af091a7b0f04fb5b212bd3c180ddcc6abf7cd77478fd22595e5b7aa7cfd9f)
com.system.update.systemupdate (7a956c754f003a219ea1d2205de3ef5bc354419985a487254b8aeb865442a55e)