Google play security detects a new Tizi Android malware

Tizi Android malware aims to steal social media data

In September, Google Play Security engineers have spotted that the users are able to infiltrate spyware on their devices which is known as Tizi virus. This malicious program disguises under the appearance of several legitimate apps and offers workout routine plans as well as promotes a healthy lifestyle^[1].

According to the experts, Tizi spyware mainly targets African countries, such as Nigeria, Kenya, and Tanzania. Even though the technicians have already removed the fraudulent apps from Google Play Store, some of them have been there since October 2015^[2].

Once installed, Tizi can steal personal details from widely used social media platforms, like Twitter, Facebook, Skype, Viber, Whatsapp, and many other. It is also able to receive/send/record audio or video calls and text messages. Additionally, analysts note that it can stealthily take pictures, screenshots, and videos without users consent.

Numerous reports show that the contriver of Tizi malware promoted it via various social media posts and third-party websites^[3]. Currently, the developer's account is suspended from the Google Store and more than 1 300 infected Android devices are being notified about the spyware.

Google engineers managed to use the Google Play Protect to terminate Tizi on the compromised gadgets. However, it is just a matter of time when the criminals will find a new way to attack their victims.

Malware exploits old system vulnerabilities to infect the targeted devices

While IT technicians have previously classified spyware programs as merely potentially harmful applications (PHAs), now they connect them into the Tizi malware family. It is clear that the malicious app is evolving since the older versions didn't possess rooting capabilities like the recent variant.

After the user installs the application, it connects to the remote command-and-control servers via SMS message containing device's GPS coordinates^[4]. Note that some versions use the regular HTTPS to communicate with the servers, while other variants employ publish-subscribe-based (MQTT) messaging protocol.

If the malware fails to gain the administrative rights, it might later ask or trick the user to grant them. Tizi exploits some of the following local vulnerabilities to root the Android gadgets:

• CVE-2013-2596;
• CVE-2013-2595;
• CVE-2012-4220;
• CVE-2014-3153;
• CVE-2015-1805.

Precautionary measures

The vulnerabilities mentioned above are fixed if you have updated your phone to the later Android version than April 2016. Devices which are up-to-date are far more immune to the Tizi virus. However, you should still be cautious of the spyware all the time since this is a new phone thread in addition to the Android Virus^[5].

Tips to prevent PHAs and Tizi infiltration:

1. Enable Google Play Protect to examine your phone for malicious programs;
2. Use different passwords for your social media accounts which should contain upper and lower case letters, as well as numbers;
3. Attentively monitor the installation procedure of the apps and do not give administrative rights to third-party programs.