Google's security team discovered a new form of malware for Android capable of stealing sensitive data and spying on users of the mobile operating system. In a blog post published this week, the researchers cover a new backdoor family named Tizi - a Potentially Harmful Application (PHA) created for a specific purpose and targeting a limited number of users. In the course of the investigations, the experts detected many applications on Google Play Store that had been infected with Tizi and found out that the victims of this new infection were located in Africa, more precisely in Nigeria, Kenya, and Tanzania. Although similar malware samples had been detected previously as well, the researchers did not classify them as a family as at that time the malware did not have rooting capabilities and obfuscation. However, when conducting a device scan in September this year, the integrated security tool Google Play Protect detected an application that was capable of rooting devices by exploiting old vulnerabilities in Android.
The malicious app was then identified as a backdoor that had features allowing it to install spyware on devices and steal sensitive user data from social media applications.
The researchers then discovered more applications infected with this malware and combined them all under the Tizi family of malware. The author of the Tizi spyware had a website as well, and additionally, used social media to encourage users to install more of the infected apps from Google Play Store or third-party sources.
After rooting the infected device, Tizi first contacts its command-and-control servers by sending the device's specific GPS coordinates through an SMS. The following communication with the C&C server goes through regular HTTPS, yet sometimes the malware uses the MQTT messaging protocol as well. The capabilities of Tizi include sending and receiving SMS messages, recording calls from Viber, Skype, and WhatsApp, as well as recording audio and taking pictures without any notice to the user. The malware also has features that let it access contacts, call logs, photos, calendar events, Wi-Fi encryption keys, and other sensitive data.
Luckily, this new malware family exploits security bugs that are found in older Android versions and devices. All devices updated to a patch level of April 2016, or later, should be safe from such type of attacks. Yet, the researchers warn that Tizi can still harm users of updated devices because even if all the exploited vulnerabilities have been fixed the malware can still try to perform some of its malicious actions, like reading and sending messages and recording and redirecting phone calls. This is due to the high level of permissions that the infected app demands upon installation.
Google has already updated Google Play Protect to disable all apps infected with Tizi, while the users of the affected devices have been notified. Google's security team has also used the information and the signals from the Tizi apps to enhance the coverage of the company's on-device security services so that now the integrated Google Play filter should be better at detecting similar PHAs.