Google Play Protect-- a security feature that uses machine learning and app usage analysis to check devices for possibly harmful apps-- recently helped Google researchers to recognize a new deceptive family of Android spyware that was stealing a whole lot of information on users.
Found on targeted devices in African countries, Tizi is a fully-featured Android backdoor with rooting capabilities that installs spyware apps on victims' devices to steal supersensitive data from popular social media apps like WhatsApp, Twitter, Facebook, Linkedin, Skype, Viber, and Telegram.
" The Google Play Protect security team discovered this family in September 2017 when device scans found an app with rooting capabilities that exploited old vulnerabilities," Google said in a blog post. "The team used this app to locate more applications in the Tizi family, the oldest of which is from October 2015."
Most Tizi-infected apps are being advertised on social media websites and 3rd-party app stores, deceiving users into installing them.
Once installed, the innocent looking app acquires root access of the infected device to install spyware, which then first contacts its command-and-control servers by sending an SMS text message with the GPS coordinates of the infected device to a specific number.
Here is How Tizi Gets Root Access On Infected Devices:For gaining root access, the backdoor exploits previously disclosed vulnerabilities in older chipsets, devices, and Android versions, including CVE-2012-4220, CVE-2013-2596, CVE-2013-2597, CVE-2013-2595, CVE-2013-2094, CVE-2013-6282, CVE-2015-1805, cve-2014-3153, and cve-2015-3636.
If the backdoor not able to get root access on the infected device due to all the listed vulnerabilities being patched, "it will still attempt to perform some actions through the high level of permissions it asks the user to grant to it, mainly around reading and sending SMS messages and monitoring, redirecting, and preventing outgoing phone calls," Google said.
Tizi spyware also been developed to communicate with its command-and-control servers over normal HTTPS or using MQTT messaging protocol to receive commands from the attackers and uploading stolen data.
The Tizi backdoor contains various abilities common to commercial spyware, such as
- Stealing data from popular social media platforms including Facebook, Twitter, WhatsApp, Viber, Skype, LinkedIn, and Telegram.
- Recording calls from WhatsApp, Viber, and Skype.
- Receiving and sending SMS messages.
- Gain access to calendar events, call log, contacts, images, and list of installed apps
- Stealing Wi-Fi encryption keys.
- Recording ambient audio and taking pictures without displaying the image on the device's screen.
Far Google has identified 1,300 Android devices infected by Tizi and removed it.
Majority of which were located in African countries, specifically Kenya, Nigeria, and Tanzania.
How to Protect your Android device from Hackers?Such Android spyware can be used to target your devices as well, so you if own an Android device, you are strongly encouraged to follow these simple steps in order to secure yourself:
- Ensure that you have already opted for Google Play Protect.
- Download and install apps only from the official Play Store, and always check permissions for each app.
- Enable 'verify apps' feature from settings.
- When remains unattended, protect your devices with pin or password lock so that nobody can gain unauthorized access to your device.
- Keep "unknown sources" disabled while not using it.
- Keep your device always up-to-date with the latest security patches.