X
Tech

Google torches this nasty Tizi Android spyware it found on Play Store

Google tackles a harmful Android spyware app that could root devices with old vulnerabilities.
Written by Liam Tung, Contributing Writer

New tech-support scam hijacks your phone to call bogus hotline

Google has revealed its recent efforts to root out Android apps infected with spyware it calls Tizi.

The Google Play Protect team discovered a trojanized app in September after its device scans found an app on Google Play that could root devices with a handful of old vulnerabilities.

The offending app, a supposed workout app called MyTizi, has been removed from the Play Store. After identifying it, Google's malware researchers discovered several other apps with the same capabilities and removed them too.

tizi2.png

Google has detailed the geographic scope of Tizi.

Google

The oldest Tizi app has been available since October 2015, but Google notes that only newer versions have rooting capabilities. The attacker was using Twitter and other social-media platforms to spread links to Play Store listings and third-party sites.

According to Google, Tizi has similar capabilities to commercial spyware and after gaining root steals data from Facebook, Twitter, WhatsApp, Viber, Skype, LinkedIn, and Telegram.

It can also record calls from WhatsApp, Viber, and Skype, as well as access calendar events, call log data, contacts, photos, Wi-Fi encryption keys, and a list of installed apps.

Additionally, it can record audio when the user is not actively using the phone and take pictures without displaying the image on the screen.

The malware was used in targeted attacks, with the vast majority of infected devices located in Kenya, but there was also a significant number of infections in Nigeria and Tanzania.

One of the other Tizi-infected apps, for example, appeared to target people who would be interested in installing an app about the National Super Alliance, a Kenyan political coalition known as NASA. Another Tizi-infected app was a bogus system update.

Google shared the examples from VirusTotal to encourage security researchers to dig into this malware.

The company has suspended several developer accounts responsible for the Tizi-infected apps and has disabled the apps on affected devices using Google Play Protect. Google found 1,300 devices affected by Tizi.

The Twitter account spreading links to the MyTizi app was still today posting links to the now-removed Play Store page.

All devices with a security patch level of April 2016 or later are "far less exposed to Tizi's capabilities", according to Google.

Among nine vulnerabilities the Tizi apps use to root devices were the so-called Towel Root CVE-2014-3153, and Ping Pong Root CVE-2015-3636 flaws.

The most recently patched flaw was CVE-2015-1805, or Pipe Root, a kernel exploit that researchers at Zimperium found in a rooting app called KingRoot. Google published a fix for this flaw to the Android Open Source Project (AOSP) in March 2016.

However, the patch for Pipe Root highlights the problem that Android users face, particularly for users who own cheaper and older devices.

Google quickly patched affected Nexus 5 and Nexus 6 devices, but it's likely many other Android OEMs did not follow suit.

The same problem applies to Google's Android monthly patches in general: Google and some larger handset makers such as Samsung and LG regularly provide monthly patches, but many handset makers make no commitment to do so.

tizi1.png

The attacker was using Twitter and other social-media platforms to spread links to Play Store listings and third-party sites.

Image: Google

Previous and related coverage

Fake WhatsApp app fooled million Android users on Google Play: Did you fall for it?

Fraudsters are managing to get fake WhatsApp apps published on the Play Store.

Android apps: Now Google will let you try before you install

Google rolls out a host of features to boost the appeal of Play Store app subscriptions.

Research: Defenses, response plans, and greatest concerns about cybersecurity in an IoT and mobile world [Tech Pro Research]

Tech Pro Research surveyed IT professionals about their companies' cybersecurity readiness in the face of threats presented by mobile and IoT-connected devices

Read more about Android security

Editorial standards