Google Play Protect and Threat Analysis teams quite recently discovered a dangerous threat targeting Android devices; it is known as Tizi. According to the specialists, it is a backdoor application with rooting capabilities. Apparently, it can install spyware on the affected device and with its help steal various information from unaware users. For instance, the malicious application might record user’s messages or calls via Skype, Facebook, WhatsApp, and so on. No doubt, Tizi is a threat to anyone’s privacy; not to mention, all collected data could be used for malicious purposes and accordingly cause you a lot of trouble. Therefore, for anyone who has an Android device, we would advise learning more about this dangerous backdoor, and you can do so while reading our article. Further, in the text, we will tell more about the malware’s capabilities, targeted devices and users, Google team’s response, and most importantly the ways it could sneak in on your system.
For starters, we should say the Google Play Protect security team discovered this backdoor family in September 2017. What’s more, it looks like the oldest malicious application related to it was created back in October 2015. Another thing researchers learned is that Tizi developer has also created a web page and even a social media profile to promote and distribute spyware from Google Play and other third-party websites. Naturally, after learning about such threats, the Google team did all they could to ensure there would be fewer victims. To be more precise, they used Google Play Protect to disable all the malware’s infected applications on affected Android devices. Plus, the team suspended the hacker’s account on Google Play and made an effort to notify all users of known affected devices about Tizi. Besides, you might find it relieving to know the Google’s on-device security services were updated to increase their performance and make it more difficult for the threat to attack Google Play users.
Nevertheless, if the device gets infected with this malicious application, there are a few things you ought to know. First of all, after entering the system, Tizi should start the process of rooting. It is a process during which one seeks to attain privileged control over Android subsystems. In other words, its goal is to overcome various limitations placed by mobile network operators or hardware manufacturers and to gain the ability to alter or replace system applications and settings or even run specific programs that would naturally require administrator-level permissions, and so on. Thus, by doing this the backdoor can install spyware and start stealing sensitive data from various applications available on the infected device. Google specialists claim it can record data from social media tools, such as Facebook, Twitter, WhatsApp, Viber, Skype, LinkedIn, and Telegram. Moreover, it appears to be Tizi might be able not just to record calls or SMS messages, but also to access “calendar events, call log, contacts, photos, Wi-Fi encryption keys, and a list of all installed apps.” In fact, it can even record ambient audio or take pictures without showing the taken photo on the device’s screen.
Furthermore, the research revealed that even though the malicious application mostly targets African countries, such as Kenya or Nigeria, the malware can still be encountered by users from The United States, Europe, and Asia as well. Also, Google Play Protect security team says the threat targets devices that have known vulnerabilities: CVE-2012-4220, CVE-2013-2596, CVE-2013-2597, CVE-2013-2595, CVE-2013-2094, CVE-2013-6282, CVE-2014-3153, CVE-2015-3636, and CVE-2015-1805. Many of the mentioned vulnerabilities are associated with old devices and old Android versions. At this point, it is crucial to know that “all of the listed vulnerabilities are fixed on devices with a security patch level of April 2016 or later.” It means if you have the mentioned patch your device will be less likely to be vulnerable in case of an attack by Tizi. It would seem if the backdoor is unable to exploit these vulnerabilities it may try to get it by asking the user to grant high-level permissions, so if you notice such suspicious behavior on your device, you should be careful not to give the malware any authority.
Lastly, we would like to talk what could be done to stay away from Tizi or threats alike. Google Play Protect security team suggest being extra cautious with programs that ask for unreasonable permissions; “For example, a flashlight app shouldn't need access to send SMS messages.” Additionally, they recommend keeping your device always up to date because this way you can get rid of already commonly known security vulnerabilities and the backdoor in question or other malicious applications would be unable to infect the device by exploiting them. Needless to say, it would also be smart to enable a secure lock screen with a PIN or a patent that is difficult to guess and make sure the Google Play Protect is enabled at all times.
- Anthony Desnos, Megan Ruthven, Richard Neal, Clement Lecigne. Tizi: Detecting and blocking socially engineered spyware on Android. Google Security Blog.
- Rooting (Android). Wikipedia.