A backdoor known as Tizi installs spyware onto Android devices in an effort to steal data from their owners’ social media profiles.
The Google Play Protect security team first detected the digital threat in September 2017 when they found an app with rooting capabilities. Since then, they’ve come across other apps that exhibit the same malicious behavior, including one created back in October 2015. They also uncovered a website and various social media posts promoting infected app installations from Google Play and other app marketplaces.
Thus far, Tizi has targeted devices primarily in Kenya and to a lesser extent Nigeria and Tanzania. It roots a device by exploiting one of nine local vulnerabilities that target older chipsets, devices, and Android versions prior to April 2016. If successful, it will attempt to steal information from the user’s social media profiles including Facebook, Twitter, WhatsApp, Viber, Skype, LinkedIn, and Telegram.
Google Play Protect security engineers Anthony Desnos, Megan Ruthven, and Richard Neal along with Clement Lecigne of the Threat Analysis Group explain how:
… [Tizi] usually first contacts its command-and-control servers by sending an SMS with the device’s GPS coordinates to a specific number. Subsequent command-and-control communications are normally performed over regular HTTPS, though in some specific versions, Tizi uses the MQTT messaging protocol with a custom server. The backdoor contains various capabilities common to commercial spyware, such as recording calls from WhatsApp, Viber, and Skype; sending and receiving SMS messages; and accessing calendar events, call log, contacts, photos, Wi-Fi encryption keys, and a list of all installed apps. Tizi apps can also record ambient audio and take pictures without displaying the image on the device’s screen.
Even if it can’t obtain root, Tizi can still read and send SMS messages like other Android-based threats, manipulate outgoing phone calls, and leverage other high-level permissions granted to it by the user.
To protect against this backdoor family, users should update their Android devices, ensure Google Play Protect is enabled, and exercise caution around apps that request unreasonable permissions.