Google has discovered and blocked a new potentially harmful application(PHA) named Tizi, a backdoor family with rooting capabilities that was used to mainly target attack against Android devices in African countries, specifically: Kenya, Nigeria, and Tanzania.
Tizi is a backdoor that installs malware on Android devices and steals sensitive data from the users’ social media profiles. The Google Play Protect security team first discovered the spyware in September 2017 through Google Play Protect device scans. They found a trojan app called MyTizi installed on an Android device that exploited old vulnerabilities with rooting capabilities. On digging deeper, the team found more applications being infected by Tizi, the oldest of which is from October 2015.
According to Google, 1300 devices were infected by Tizi and these type of PHA owners targets a small and specific number of users to achieve their goal and spend some substantial amount of time and money to create and install such spyware.
How does Tizi Work?
Tizi first roots the device with CVE-2012-4220, CVE-2013-2596, CVE-2013-2597, CVE-2013-2595, CVE-2013-2094, CVE-2013-6282, CVE-2014-3153, CVE-2015-3636, CVE-2015-1805 vulnerabilites.
It then steals sensitive data from popular social networking apps such as Facebook, Twitter, WhatsApp, Viber, Skype, LinkedIn, and Telegram such as
Recording calls from WhatsApp, Viber, and Skype
Sending and receiving SMS messages
Take pictures without displaying on screen
Recording ambient audio through the microphone
Accessing contacts, calendar events, call logs, photos, Wi-Fi encryption keys, and a list of all locally installed apps.
After recording the data, it then sends the device’s GPS coordinates via SMS to its command and control servers. Later, C&C communications are performed via HTTPS, or via MQTT protocol.
When Google got aware of this spyware, it immediately disabled the Tizi-infected apps on affected devices through Google Play Protect and also notified the affected users. The company found the Tizi app developers promoting to install the infected apps from Google Play Store on their website and social media. Eventually, the team suspended the developer’s accounts from Play.
It also updated the company’s on-device security services with the inform