Tizi is an Android malware variant first identified in September 2017 by the Google Play Protect security team. Older versions of apps on the Google Play Store were affected by Tizi dating back to October 2015. The malware is a backdoor with rooting capabilities that exploits old vulnerabilities and installs spyware to steal sensitive data from popular social media applications, such as Facebook, Twitter, WhatsApp, Viber, Skype, LinkedIn, and Telegram. Security researchers believe that Tizi attacks were intended for a small, specified number of users. The majority of infected users are in African countries such as Kenya, Nigeria, and Tanzania.
Tizi's capabilities include:
- Steals data from popular social media apps such as Facebook, Twitter, WhatsApp, Viber, Skype, LinkedIn, and Telegram.
- Records calls from WhatsApp, Viber, and Skype.
- Records ambient audio through the microphone.
- Takes pictures of the screen without alerting the user.
- Can send and intercept SMS messages on infected devices.
- Access contacts, calendar events, call logs, photos, WiFi encryption keys, and a list of all locally installed apps.
- Sends the device's GPS coordinates via SMS to a C2 server when it infects the user.
- The threat actor's C2 server communicates with infected app via HTTPS, or in few cases, via the MQTT (Message Queue Telemetry Transport) protocol.
- Can root devices via one of the following vulnerabilities: CVE-2012-4220, CVE-2013-2596, CVE-2013-2597, CVE-2013-2595, CVE-2013-2094, CVE-2013-6282, CVE-2014-3153, CVE-2015-3636, CVE-2015-1805.
Google suspended the app developer's account, uninstalled Tizi apps from infected devices, and fixed all the above-listed vulnerabilities.
Google recommends implementing the following countermeasures to protect against this and similar threats:
- Be suspicious of apps that request unreasonable permissions.
- Enable a secure lock screen with a complex PIN, password, or biometric authentication.
- Keep your device up-to-date with the latest security patches.
- Ensure Google Play Protect is enabled.
- Google provides technical details of the Tizi Malware here.