The Google Play Protect team said it identified a new strain of Android spyware called Tizi found inside several apps previously available via the Google Play marketplace. The recent discovery triggered a wider investigation by Google who said apps infected by the Tizi malware date back to 2015.
Recent samples of Tizi allowed an attacker to root a targeted device and steal sensitive data from apps such as Facebook, Twitter, WhatsApp, Viber, Skype, LinkedIn and Telegram. Specific geographies targeted were Kenya, Nigeria, and Tanzania, Google said. A smaller number of victims resided in the United States, researchers said.
“The backdoor contains various capabilities common to commercial spyware, such as recording calls from WhatsApp, Viber, and Skype; sending and receiving SMS messages; and accessing calendar events, call log, contacts, photos, Wi-Fi encryption keys, and a list of all installed apps,” researchers wrote in a Google Security Blog post on Monday.
The Tizi malware can also record ambient audio via the phone’s microphone and silently take pictures with no on-screen notifications alerting the phone’s owner.
“Subsequent command-and-control communications are normally performed over regular HTTPS, though in some specific versions, Tizi uses the MQTT messaging protocol with a custom server,” Google said.
Google Play Protect team said it discovered the spyware in September 2017, with the oldest sample dating back to October 2015. “The early Tizi variants didn’t have rooting capabilities or obfuscation, but later variants did,” researchers wrote.
In total, Google said it identified 1,300 devices affected by Tizi.
Initially Tizi was discovered on a workout app “com.dailyworkout.tizi” that was promoted via social media and meant to appeal to fans of the Kenyan fitness brand Tizi. “The Tizi app developer also created a website and used social media to encourage more app installs from Google Play and third-party websites,” Google said. Other Tizi-laced apps (com.press.nasa.com.tanofresh and com.system.update.systemupdate) were also found.
Researchers said attackers mostly targeted users with older model Android phones running older chipsets and past versions of the Android OS. Targeted handsets did not have the most recent security patches from Google and were vulnerable to one of nine vulnerabilities that ranged from the Linux kernel vulnerability “TowelRoot” (CVE-2014-3153) to a rooting vulnerability (CVE-2015-1805) patched in 2014.
Android devices with patch levels later than April 2016 are less exposed to Tizi’s capabilities, researchers wrote.
“If a Tizi app is unable to take control of a device because the vulnerabilities it tries to use are all patched, it will still attempt to perform some actions through the high level of permissions it asks the user to grant to it, mainly around reading and sending SMS messages and monitoring, redirecting, and preventing outgoing phone calls,” wrote the Google Play Protect team.
This past year Google has made strides to shore up the Android ecosystem, from the Google Play marketplace to devices themselves.
In May, Google introduced Play Protect, a new security feature that maintains some oversight on content downloaded to Android devices. For example, previously downloaded apps can be continually scanned for malicious behaviors as a counter to developers who push benign apps to Google Play that later connect and download malicious components. This also helps provide a line of defense against apps downloaded from third-party stores that aren’t subject to Google’s malware scanners. Google said in May that Play Protect will be capable of scanning and verifying up to 50 billion apps on a daily basis.
Despite those gains, reports of malware making it into Google’s marketplace continue.
Earlier this month Google removed a phony adware-laced WhatsApp download from Google Play that was downloaded more than one million times. In March, Google booted more than a dozen apps from the Google Play store after researchers discovered each were rip-offs of legitimate apps and designed to aggressively push ads on Android devices. In August, three messaging apps in the Google Play store contained spyware called SonicSpy were also removed. And most recently, a flashlight app snuck BankBot malware into the Google Play store that stole banking credentials from victims.